Php 密码\u验证哈希与密码不匹配
我已使用以下代码生成密码哈希:Php 密码\u验证哈希与密码不匹配,php,mysqli,php-password-hash,Php,Mysqli,Php Password Hash,我已使用以下代码生成密码哈希: $hash = password_hash("test", PASSWORD_BCRYPT); 然后,我使用255字符将其存储在数据库中 然后我尝试使用比较器测试登录,但失败了。它只允许我使用我刚才生成的哈希值登录,而不是存储在数据库中的哈希值 <?php //Database connection require 'database.php'; //Handle logins if ($_POST['login']) { //Receive
$hash = password_hash("test", PASSWORD_BCRYPT);
<?php
//Database connection
require 'database.php';
//Handle logins
if ($_POST['login'])
{
//Receive the login attempt
$login_email = $_POST['login_email'];
$login_password = $_POST['login_password'];
//Get the password hash
if ($statement = $mysqli->prepare("SELECT password FROM accounts WHERE email = ? LIMIT 1"))
{
$statement->bind_param("s", $login_email);
$statement->execute();
$statement->store_result();
//Does the account exist?
if ($statement->num_rows > 0)
{
$statement->bind_result($hash);
$statement->fetch();
//echo $login_password;
echo $hash."<br>";
//$hash = password_hash("test", PASSWORD_BCRYPT);
//echo $hash."<br>";
//Check the password hash
if (password_verify($login_password, $hash))
{
echo '<br>Password is valid!';
//Begin session
session_start();
$_SESSION["favcolor"] = "yellow";
}
else
{
echo '<br>Invalid password.';
}
}
else
{
//Account doesn't exist warning
}
$statement->free_result();
$statement->close();
}
}
//Handle new registrations
if ($_POST['register'])
{
//Receive the register attempt
$register_email = $_POST['register_email'];
$register_password_one = $_POST['register_password_one'];
$register_password_two = $_POST['register_password_two'];
//Check if email is already taken
if ($statement = $mysqli->prepare("SELECT email FROM accounts WHERE email = ? LIMIT 1"))
{
$statement->bind_param("s", $register_email);
$statement->execute();
$statement->store_result();
//Does the account exist?
if ($statement->num_rows > 0)
{
//Account already exists warning
}
else
{
//Create the account
if ($statement = $mysqli->prepare("INSERT INTO accounts (email, password) VALUES (?,?)"))
{
//Create bycrypt hash of password
$hash = password_hash($register_password_one, PASSWORD_BCRYPT);
//Insert new account
$statement->bind_param("ss", $register_email, $hash);
$statement->execute();
$account_id = $statement->insert_id;
$statement->close();
//Begin session
session_start();
$_SESSION["favcolor"] = "yellow";
}
}
$statement->free_result();
$statement->close();
}
}
//Handle logout
if ($_POST['logout'])
{
session_unset();
session_destroy();
}
?>
- 每次生成的哈希都不同
- 将纯文本传递给password\u verify()函数。。。见下文
$originalPassword=password\u散列(“密码”,默认密码);
//这将产生类似(采取上述形式)的结果
2美元对10美元收费QDETQRTIO8IJ0WI9AUHN5KM28PSB5KUH5QFKDKOSDXP295H1K
//在验证时
if(password\u verify(“THE\u password”,$passwordFromDatabase['password'])){
呼应“成功”;
}否则{
回应“失败”;
}
$login\u password
=test?@ᵈˑ不幸的是,请包含更多代码。这应该行得通。您是否调试了所有涉及的变量,以确认它们的值符合预期(然后发布值)?确保您没有预哈希,并且列的长度足够长,可以容纳哈希,并且是VARCHAR。我使用第一个哈希运行了password\u verify()
函数,它返回false。只需删除它并存储一个有效的密码,例如,您提供的第二个密码。我有点担心使用PASSWORD_DEFAULT,因为如果他们将PASSWORD_DEFAULT的计算方式更改为某种新的加密,会怎么样。那么,我的所有用户都将失去登录功能?据我所知,当引入更强的algo时,这将自动改变,并且它将识别使用以前的algo生成的密码。algo的开头是标识符,在上述情况下,它将是$2y$。是的,我注意到了这一点,并想知道它是什么。这对我来说现在有意义了!让我来测试一下它是否有效:)
$originalPassword = password_hash("THE_PASSWORD", PASSWORD_DEFAULT);
// This will produce something like (taken form above)
$2y$10$tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K
// When verifying this
if(password_verify("THE_PASSWORD", $passwordFromDatabase['password'])){
echo "Success";
}else{
echo "Fail";
}