当前位置: 文江博客话题详情

为什么password_verify返回false?

发布于 2025-01-10 06:21:17 字数 544 浏览 3 评论 0原文

我正在使用 password_verify 来检查我的哈希密码。我有 PHP 5.5:

// get result row (as an object)
$result_row = $result_of_login_check->fetch_object();

// using PHP 5.5's password_verify() function to check if the provided password fits
// the hash of that user's password
if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
    // ...
}

我在 password_verify 上得到 false。我已经检查过 posts 值和 mysql user_password_hash 返回。

我不知道为什么它返回 false。

有什么想法吗?

原文

I'm using password_verify to check my hashed password. I have PHP 5.5:

// get result row (as an object)
$result_row = $result_of_login_check->fetch_object();

// using PHP 5.5's password_verify() function to check if the provided password fits
// the hash of that user's password
if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
    // ...
}

I'm getting false on password_verify. I've already checked the posts value and mysql user_password_hash return.

I don't know why it's returning false.

Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

守望孤独 2025-01-17 06:21:17

根据手册,问题可能出在您的列长度上:
建议将结果存储在可扩展超过 60 个字符的数据库列中(255 个字符是一个不错的选择)。 链接

Probably the problem is with your column length, from the manual:
it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice). link

回复 原文
愛上了 2025-01-17 06:21:17

password_verify 有多种原因可能会返回 false,它的范围可能从表的设置到密码的实际比较,以下是失败的常见原因。

列设置

  • 表中密码列的长度太短:

    • 如果您使用 PASSWORD_DEFAULT,则建议将结果存储在可扩展至 60 个字符以上的数据库列中(255 个字符是一个不错的选择)。
    • 如果您使用 PASSWORD_BCRYPT,则建议将结果存储在 60 个字符的数据库列中,因为 PASSWORD_BCRYPT 始终会生成 60 个字符的字符串或 FALSE失败时。

密码清理

另一个常见原因是,当开发人员尝试“清理”用户密码以防止其被恶意攻击时,结果会导致输入与表中存储的内容不同。甚至没有必要转义输入,您应该使用准备好的语句。您甚至不应该修剪密码,因为这可能会更改最初提供的密码。

密码验证

使用password_verify时,您需要将明文密码与数据库中的哈希值进行比较,而不是比较哈希值(这里的含义是您需要在用户注册时存储用户的哈希密码) :

<?php

$hashed = password_hash('test', PASSWORD_DEFAULT);
$password = 'test';

if (password_verify($password, $hashed)) {
  echo 'success';
} else {
  echo 'fail';
}

?>

Repl

硬编码密码

在您使用硬编码哈希且面临的情况下问题,请确保在变量中存储值时使用单引号而不是双引号,因为使用双引号时将解释 $

<?php
// Undefined variable: QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu :1
$incorrect = "$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu";

$correct = '$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu';
?>

: it/repls/DarkblueFractalOperatingenvironment" rel="noreferrer">Repl - 分别注释掉。

附录

根据文档:

警告强烈建议您不要为此函数生成自己的盐。如果您不指定,它会自动为您创建一个安全的盐。

如上所述,在 PHP 7.0 中提供 salt 选项将生成弃用警告。在未来的 PHP 版本中可能会删除对手动提供盐的支持。

There are a variety of reasons why password_verify could be returning false, it can range from the setup of your table to the actual comparing of the password, below are the common causes of it failing.

Column Setup

  • The length of the password column in your table is too short:

    • If you are using PASSWORD_DEFAULT then it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
    • If you are using PASSWORD_BCRYPT then it is recommended to store the result in a database column that is 60 characters because PASSWORD_BCRYPT will always result in a 60 character string or FALSE on failure.

Password Sanitization

Another common cause is when developers try to "clean" the user's password to prevent it from being malicious, as a result, this causes the input to be different to what is being stored in the table. It is not even necessary to escape the input, you should use prepared statements instead. You shouldn't even trim the passwords as that could change that which was originally provided.

Password Verification

When using password_verify you need to compare the plaintext password with the hash from the database, not compare hashes (the implication here being that you need to have stored the hashed password of the user when they register):

<?php

$hashed = password_hash('test', PASSWORD_DEFAULT);
$password = 'test';

if (password_verify($password, $hashed)) {
  echo 'success';
} else {
  echo 'fail';
}

?>

Repl

Hardcoded Passwords

In the instance that you are using a hardcoded hash and you are facing issues, ensure that you are using single quotes instead of double quotes when storing the value in the variable as the $ will be interpreted in when using double quotes:

<?php
// Undefined variable: QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu :1
$incorrect = "$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu";

$correct = '$2y$10$QHpfI0MfQWjvsVQWRdFHSOX6WqG8LSf0iFGiKs0Fz0RvqhpFOpAKu';
?>

Repl - Comment out respectively.

Addendum

As per the documentation:

Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.

回复 原文
蓝海 2025-01-17 06:21:17

调试问题的简单步骤:

  1. 在注册阶段打印并写下原始密码和哈希值的准确值。类似的东西

     var_dump($password);
 $hash =password_hash($password, PASSWORD_DEFAULT);
 var_dump($哈希);

    然后将输出复制并粘贴到某个文本文件中。

  2. 打印并写下登录阶段提供的密码的准确值以及从数据库返回的哈希值。类似的东西

     var_dump($password);
 var_dump($row['密码']);
 if(password_verify($password, $row['password'])) ...

然后简单地比较这些值 如果 password_verify() 失败,则原始密码或哈希值不匹配。如果原始密码不匹配,则输入的密码要么不正确,要么在一些无用的“清理”过程中被破坏。如果从数据库返回的哈希不匹配,那么它要么在一些无用的“清理”过程中被损坏,要么由于数据库中不正确的列属性而被更改。

Simple steps to debug the issue:

  1. Print out and write down exact values of the raw password and the hash during the registration phase. Something like

     var_dump($password);
 $hash = password_hash($password, PASSWORD_DEFAULT);
 var_dump($hash);

    then copy and paste the output into some text file.

  2. Print out and write down exact values of the password provided during login phase and the hash returned from DB. Something like

     var_dump($password);
 var_dump($row['password']);
 if(password_verify($password, $row['password'])) ...

And then simply compare those values. If password_verify() fails, either raw passwords or hashes don't match. If raw passwords don't match then the entered password is either incorrect or was maimed during some useless "sanitization". If the hash returned from DB doesn't match, then it either was maimed during some useless "sanitization" or it was changed due to incorrect column properties in the database.

回复 原文
惯饮孤独 2025-01-17 06:21:17

检查参数顺序

只是指出发生在我身上的事情,几分钟前我正在阅读同一主题并试图解决我的问题,并且也可以帮助您解决问题。
看看您是否以正确的顺序为password_verify()提供参数:

password_verify(字符串 $password, 字符串 $hash)

密码是您通过邮寄或其他方式收到并正在尝试验证的密码。

哈希是您要与密码进行比较的哈希值。(例如,存储在数据库中的密码哈希值)

我碰巧颠倒了参数的顺序,所以结果没有按我的预期出现。

Check the parameters order

Just to point something that happened to me, who was reading this same topic trying to solve my problem minutes ago, and can help you to solve the problem as well.
See if you are giving the parameters for password_verify() in the right order:

password_verify(string $password, string $hash)

password is the password you received by post or other method and are trying to validate.

hash is the hash that you want to compare the password to.(e.g. The password hash stored in your Data Base)

It happened to me that I inverted the order of the parameters, so the result wasn't coming as I expected to.

回复 原文
~没有更多了~

关于作者

也只是曾经

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

李珊平

文章 0 评论 0

Quxin

文章 0 评论 0

范无咎

文章 0 评论 0

github_ZOJ2N8YxBm

文章 0 评论 0

若言

文章 0 评论 0

南…巷孤猫

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文