drfb52000 2017-06-20 20:44
浏览 82
已采纳

是否需要从数据库中获取哈希? password_hash bcrypt [复制]

This question already has an answer here:

I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.

password_hash($password, PASSWORD_BCRYPT);

As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?

Is it really necessary to make this query and then check?

I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?

Or something else maybe? I remember years ago I used something like checking inside query, like 

WHERE login = $login and pass = PASSWORD($password)

Especially I mean this PASSWORD($password)?

Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?

</div>
  • 写回答

1条回答 默认 最新

  • drryyiuib43562604 2017-06-20 20:46
    关注

    Yes, it's necessary. You need the unique salt generated during hashing, encoded as part of the hash, to do the comparison. That's also exactly why this algorithm is so strong for password storage.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 mmocr的训练错误,结果全为0
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀