Bcrypt，您如何用随机盐验证？

Question

I got this code off the PHP website. I can make this work without the Salt. But how do you verify with the salt - or does it have to be stored into a variable then you use that later? Not sure how to proceed to the next step to verify. Lots of tutorials on how to make a hash, but to verify is another thing. Thank you.

$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";


// See the password_hash() example to see where this came from.
$hash = '$2y$11$nJp/w0OC41I0m44T9OQKBuWUrQi63PrJuvDc68KI6oDBdnZK01kiW ';

if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}

Answer 1

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

Source: http://php.net/manual/en/function.password-verify.php

just use the function as you did above, it will automatically detect the salt.

If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

source: http://php.net/manual/en/function.password-hash.php

Even if you don't add a salt, password_hash will automatically add a random generated one, so you shouldn't have any problem verifying a password that has been salted.

Also note that:

The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.