PHP有密码_verify错误吗?
以下代码段不应发出“匹配”,因为密码'testtest'与“ TestTestest”不匹配,而是对我来说是php 7.4.3。我做错了吗?
<?php
$sPass = 'testtesttest';
$sSalt = hash('sha256','this is my salt');
$sShadow = password_hash($sSalt . $sPass,PASSWORD_BCRYPT);
echo (password_verify($sSalt . 'testtest',$sShadow) ? 'MATCHED' : 'nomatch');
请注意,如果删除上面的盐引用,则代码正常。就像PHP的password_hash和password_verify函数具有大小限制,如果字符串比许多字符更长,它们将不再准确。
因此,我认为这是一个错误。
The following code snippet should not emit 'MATCHED' because the password 'testtest' does not match 'testtesttest', but does on PHP 7.4.3 for me. Am I doing something wrong?
<?php
$sPass = 'testtesttest';
$sSalt = hash('sha256','this is my salt');
$sShadow = password_hash($sSalt . $sPass,PASSWORD_BCRYPT);
echo (password_verify($sSalt . 'testtest',$sShadow) ? 'MATCHED' : 'nomatch');
Note, if you remove the salt references above, the code works fine. It's like the password_hash and password_verify functions of PHP have a size limitation where they no longer become accurate if the string is longer than so many characters.
So, I'm thinking this is a bug.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
bcrypt只能处理72个字符,您的盐占64个字符,因此只有8个字符,因此只有8个字符考虑密码。
使用盐的二进制形式不“浪费”,因为
password_hash无论如何都会生成一个。BCrypt can only handle 72 characters, your salt takes up 64 characters, so only 8 characters of your password are considered.
Use the binary form of your salt to not "waste" as many characters or just don't use one at all, as
password_hashwill generate one anyway.