How to verify a htpasswd-generated bcrypt hash using PHP?
Question
I have to verify bcrypt-hashes created by apache's htpasswd tool (v2.4.41) using PHP's password_verify (v7.4.3).
But if I generate a hash:
$ htpasswd -nbB test pass
test:$2y$05$m73wHlBS62EUh7uAxbUCJ.gHIfcEgiorl/1LrzNRAlSSH4bmrBUEy
... and then try to verify it in PHP...
cat << EOF | php -a
if (password_verify('pass', '$2y$05$m73wHlBS62EUh7uAxbUCJ.gHIfcEgiorl/1LrzNRAlSSH4bmrBUEy')) {
echo 'match';
} else {
echo 'mismatch';
}
EOF
... mismatch is printed. PHP can however verify its own bcrypt hashes...
cat << EOF | php -a
if (password_verify('test', password_hash('test', PASSWORD_BCRYPT))) {
echo 'match';
} else {
echo 'mismatch';
}
EOF
... this prints match . How can I get password_verify to verify the externally generated bcrypt hash?
1 answers
solution1
0 2020-08-11 09:22:56
The problem was that in my real-world code there was additional whitespace at the end of the hash due incorrect parsing of the hash value out of a .htpasswd file.
The 'simplified' example in the OP introduced another, different problem (due escaping special characters in the hash on the commandline) and failed because of that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.