stackoom
  简体   繁体   中英

PHP & MYSQL: using bcrypt hash and verifying password with database

 原文  2012-07-14 04:58:54       php/ mysql/ hash/ passwords/ bcrypt

Question

I'm using Mr. Andrew Moore's method ( How do you use bcrypt for hashing passwords in PHP? ) of hashing user's password. What I did is I have a registration page and it uses 

$bcrypt = new Bcrypt(12);
$pass = $_POST['password']; //register password field
$hash= $bcrypt->hash($pass);

// then inserts $hash into database with users registered email (I've checked my mysql database and it indeed has an hashed item

Then I have a login page, consisting of email and password fields. My thought is that email addresses are unique in my database. So with that in mind, I made a script where it check's users email address first, then if there is an existing one, verify the hash password with this 

$bcrypt = new Bcrypt(12);

$email = $_POST['email']; //from login email field
$pass_l = $_POST['password']; // from login password field
$hash_1= $bcrypt->hash($pass_1);

$chk_email= $dbh->prepare("SELECT password FROM table WHERE email = ?");
$chk_email -> execute(array($email));

while($row = $chk_email->fetch(PDO::FETCH_ASSOC)){
    $chk_pass = $row['password']; //inside a while loop to get the password
    $pass_isGood = $bcrypt->verify($hash_1, $chk_pass);
    var_dump($pass_isGood); // I'm getting false

}

I'm not sure what I'm doing wrong, I'm supposed to get true. And I have set my tablefield to text or even varchar(256)

2 answers

solution1
 7 ACCPTED  2012-07-14 18:56:22

Using Andrew Moore's class , you need to call the class verify() method to verify that the user's password matches the hash. The two parameters you pass to it are the plaintext password the user entered and the hash that you stored in the database.

It seems you passed a second hashed password to verify() instead, which is why it's not working. Pass in the plaintext password as the first argument.

solution2
 4  2012-07-16 22:30:12

So just to be explicit and build upon @Michael's answer (since I was looking over Andrew Mooore's solution too):

instead of this: 

$hash_1= $bcrypt->hash($pass_1);
$chk_pass = $row['password']; //inside a while loop to get the password
$pass_isGood = $bcrypt->verify($hash_1, $chk_pass);

you need this: 

$pass_l = $_POST['password'];
$chk_pass = $row['password']; //inside a while loop to get the password
$pass_isGood = $bcrypt->verify($pass_l, $chk_pass);
//notice how 1st parameter of verify(is the text input and not its hashed form

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Password verifying against database using bcrypt PHP password_hash() / bcrypt PHP Verifying passwords using password_verify and password_hash Class to hash password using bcrypt Verifying email and password input from a mysql database via php Password_verify is not verifying the hash in the database How to use BCRYPT with password_hash() in PHP How do you verify a password with PHP/MySQL using BCRYPT PHP: Using bcrypt for password encryption Hash password in PHP and verify with Java (PASSWORD_BCRYPT & jBcrypt)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM