在我的登录页面中,我在password_verify之后收到错误,好像我在验证密码时使用hash_equals。需要知道原因。
第二个问题是每次我通过更改密码页面更改密码hash_equals都不验证密码。以下是代码if (!password_verify($password, $user['password'])) {
$errors[]='Password does not match';
}
if (!hash_equals($password, $user['password'])) {
$errors[]='Password does not match';
}
答案 0 :(得分:0)
函数hash_equals()并不是要验证带有散列的密码,这是password_verify()函数的作用,所以不要在代码中使用hash_equals():
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($_POST['password'], PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($_POST['password'], $existingHashFromDb);