stackoom
  简体   繁体   中英

PHP - hashing passwords with bcrypt

 原文  2016-12-11 12:01:30       php/ bcrypt/ php-password-hash

Question

I have question about valid hashing passwords:

login.php 

$login = $_POST['login'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($login) && !empty($password) && password_verify(??){

I want to make secure login and I know that I have to verify the inputted password with existing hash (stored in database?). Also I know that bcrypt everytime makes new hash (because of different salt size etc).

The problem is that I don't know how to put this hash into database because I don't want to register new users, I have static list of users (exactly two: admin and user).

I tried manually copy/paste hash but it wouldn't work as I mentioned earlier that every time I run script new hash is created.

Can anyone help me how to put bcrypt hash in database (only once) so I can only check if inputted password is same as the one in database?

Do I need extra variables to store this hash?

EDIT:

login.php 

<?php
session_start();
include("log.php");
include("pdo.php");
$login = $_POST['login'];
$password = $_POST['password'];

$adminHash = '$2y$10$lxPRtzzPDUZuPlodhU4QquP.IBrGpkjMNplpNgN9S1fEKd64tJ5vm';
$userHash = '$2y$10$Klt345wT66vA.4OAN5PEUeFqvhPQJ4Ua/A4Ylpc1ZcnJZv/hafgSu';

if(!empty($login) && !empty($password) && (password_verify($password, $adminHash) || password_verify($password, $userHash))){
    $query = $pdo->prepare('SELECT * FROM xx WHERE login = ? AND admin = ?');
    $query->execute(array( $login, 1));
    $result = $query->fetchAll();
    if(!empty($result)) {
        $_SESSION['logged_admin'] = 1;
    }
    else {
        $query->execute(array( $login, 0));
        $result = $query->fetchAll();
        if(!empty($result)) {
            $_SESSION['logged_user'] = 1;
        }
        else {
            $_SESSION['logged_error'] = 1;
        }
    }
}
else $_SESSION['logged_error'] = 1;
header("Location:index.php");

?>

it seems to be working but i dont know if it's best/safest solution.
With more passwords it will be too complicated i guess, still looking for best option!
What if i need more users? now every user have same hash and it's dangerous i get it, how to make it safe? generate hash for every user and make array or hashes?

1 answers

solution1
 1  2019-01-19 08:50:37

首先从数据库中获取具有password_hash()的密码,然后将其与password_verify($ password,$ storedpassword)进行比较,如下所示: link

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do you use bcrypt for hashing passwords in PHP? PHP Bcrypt hashing PHP Login with bCrypt Hashed Passwords Registration script in php hashing passwords Is there any way to use bcrypt “hashing” in PHP 5.2? PHP hashing using BCRYPT adds unwanted character How to Compare BCRYPT Hashed Passwords in PHP Alternative to bcrypt when saving passwords in PHP 5.2 Check bcrypt passwords always fails Phalcon php PHP BCrypt for Ruby on Rails Devise passwords
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM