I have to verify bcrypt-hashes created by apache's htpasswd
tool (v2.4.41) using PHP's password_verify
(v7.4.3).
But if I generate a hash:
$ htpasswd -nbB test pass
test:$2y$05$m73wHlBS62EUh7uAxbUCJ.gHIfcEgiorl/1LrzNRAlSSH4bmrBUEy
... and then try to verify it in PHP...
cat << EOF | php -a
if (password_verify('pass', '$2y$05$m73wHlBS62EUh7uAxbUCJ.gHIfcEgiorl/1LrzNRAlSSH4bmrBUEy')) {
echo 'match';
} else {
echo 'mismatch';
}
EOF
... mismatch
is printed. PHP can however verify its own bcrypt hashes...
cat << EOF | php -a
if (password_verify('test', password_hash('test', PASSWORD_BCRYPT))) {
echo 'match';
} else {
echo 'mismatch';
}
EOF
... this prints match
. How can I get password_verify
to verify the externally generated bcrypt hash?
The problem was that in my real-world code there was additional whitespace at the end of the hash due incorrect parsing of the hash value out of a .htpasswd
file.
The 'simplified' example in the OP introduced another, different problem (due escaping special characters in the hash on the commandline) and failed because of that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.