[英]How to verify password against database?
我瀏覽了很多與此主題相關的文章,例如:
使用PHP 5.5的password_hash和password_verify函數
然而,我不確定我是否正在以正確的方式進行哈希和腌制,或者過度使用它!
我想用自己的鹽然后哈希。 salt和散列密碼都存儲在數據庫的兩個不同字段中。
這是我在存儲到數據庫之前散列密碼的方式
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;
//shall I remove this line and replace below PASSWORD_DEFAULT with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);
$hash = password_hash($password, PASSWORD_DEFAULT);
鑒於此,我正在嘗試驗證密碼如下:不知何故,我覺得我使這個過程變得復雜。
$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
編輯:
現在我這樣存儲:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
但驗證令人困惑:
$email = "test55@gmail.com";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$row['salt']."<br/><br/>";
echo "hashpassword ".$row['hashpword'];
}
$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";
$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($newhash, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
它回應“未經驗證”
函數password_hash()只是一個包裝器,在內部生成一個加密安全的salt,然后調用crypt()
函數來計算BCrypt哈希。
所以沒有理由自己做同樣的步驟(不要調用crypt()並且不生成鹽)。 建議不要生成自己的salt,因為你不能比password_hash函數做得更好。 此外,沒有理由將salt存儲在單獨的db列中,它已經是生成的哈希值的一部分。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
這將正確驗證,因為它應該。
//on creating an account, a user enters a password!
$password="pwtester";//user keyed in password
$newhash = password_hash($password, PASSWORD_DEFAULT);
//#newhash now has the only value that you need to store in the db
//you do not need any more than this value, that you retrieve when you
//want to verify your password!
//this part is only done to verify passwords!
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
所以只要你已經在數據庫中存儲了哈希
$newhash=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
應該管用!
密碼存儲:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
密碼驗證:
<?php
include('config.php');
$email = "test55@gmail.com";
$uid= '555cb0a63f08d';
$sql = "SELECT *FROM authsessions WHERE useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$salt=$row['salt']."<br/><br/>";
echo "hashpassword ".$hashAndSalt=$row['hashpword'];
echo"<br/>";
}
$password="nony";
//$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($password, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
?>
您將密碼哈希2次。 保留crypt功能,你應該沒問題。
只需看看有關password_verify和password_hash的PHP文檔。
只需使用password_hash()保存密碼即可。 應該將哈希值存儲在數據庫中。
要驗證,您只需將hash與用戶輸入與password_verify進行比較。 Password_verify將為您完成剩下的工作:)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.