我尝试使用两个不同的包装器,即password_compat和Bcrypt来加密我的密码。哈希保存得很好,但检查比较从不匹配。
我使用以下代码存储哈希密码:
//include ( "Bcrypt.php" );
include ( "password_compat-master/lib/password.php" );
if ( isset ( $_POST["username"] ) and isset ( $_POST["email"] ) and isset ( $_POST["password"] ) )
{
$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
//$hash = Bcrypt::hash( $password );
$hash = password_hash( $password , PASSWORD_BCRYPT ); //password_compat function
$connect = mysqli_connect( "server" , "user", "pass" , "database" );
//Code to generate next database key ($next)
$sql_insert = "INSERT INTO `use_users` (`UserID`,`Username`,`Password`,`EmailAddress`) VALUES('$next','$username','$hash','$email');";
$res_insert = $connect -> query( $sql_insert );
}
我使用以下代码验证密码(我知道可能的SQL注入!):
//include ( "Bcrypt.php" );
include ( "password_compat-master/lib/password.php" );
if ( isset ( $_POST["username"] ) and isset ( $_POST["password"] ) )
{
$username = $_POST["username"];
$password = $_POST["password"];
$connect = mysqli_connect( "server" , "user", "pass" , "database" );
$sql_verify = "SELECT * FROM `use_users` WHERE `Username`='$username';";
$res_verify = $connect -> query( $sql_verify );
while ( $exe_verify = mysqli_fetch_array( $res_verify ) )
{
$hash = $exe_verify["Password"];
//$check = Bcrypt::check( $password , $hash );
$check = password_verify( $password , $hash ); //password_compat function
if ( $check ) echo "Pass.";
else if ( ! $check ) echo "Fail.";
}
}
当我编写自己的哈希检查(crypt( $password, $hash))时,它返回与存储的哈希相同的哈希值,但附加了附加字符。
我做错了什么?它是MySQL的东西吗?
答案 0 :(得分:4)
我认为您的字段可以存储的字符少于生成的哈希长度。因此哈希在instert之前被截断了。