PHP password_verify错误地返回false

I've searched high and low for this topic, and no one has the same issue I'm experiencing that I could find.

I'm creating a user in a MySQL table, with a hash from password_hash with a strength of 10.

I've been having hell getting it to validate, and have a test script made to actually validate my findings. Here is the script:

public function testAction(){
    $data = new dataHandler;
    $data->table = "access";

    $hash1 = $data->insert(array('email'=>'test6@test.com', 'password'=>'ABC123.abc', 'password_confirm'=>'ABC123.abc', 'alias'=>'ABC123.abc'));

    $res = $data->find(array('email'=>'test6@test.com'));

    $hash2 = $res[0]['hash'];

    $test = password_verify('ABC123.abc', $hash1);
    $test2 = password_verify('ABC123.abc', $hash2);

    var_dump($test);
    echo "<br>";
    var_dump($test2);

    echo "<br><br>";

    echo "Length: " . strlen($hash1) . "<br>{$hash1}<br>Length: " . strlen($hash2) . "<br>{$hash2}";

    die();
}

To verify that my script wasn't somehow doing something weird when storing, I made my hash method (called from within the insert() method dynamically) echo out the hash directly:

public function createHash($password){
    $hash = password_hash($password, HASH);
    echo "Length: " . strlen($hash) . "<br>$hash<br>";
    return $hash;
}

Here's the insert method. cleanData simply unsets anything not available in a describe - it is not changing any values whatsoever. Warning, it's terribly ugly presently due to a lot of debugging and such:

public function insert($data){
    if(!is_array($data)){
        return false;
    } else {
        $this->openDb();
        $ins = "";
        $fs = "";

        $data = $this->cleanData($data);

        foreach($data as $key => $field){
            if($key == "password"){
                $auth = new authorization;

                $key = "hash";
                $field = $auth->createHash($field);

                $data['hash'] = $field;



                unset($data["password"]);
            }

            $ins .= ":{$key}, ";
            $fs .= "`{$key}`, ";
            //$data[$key] = $this->DBH->quote($field);
        }

        $ins = rtrim($ins, ", ");
        $fs = rtrim($fs, ", ");

        try {

            # the shortcut!
            $this->DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
            $this->DBH->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
            $STH = $this->DBH->prepare("INSERT INTO `" . $this->table . "` ($fs) value ($ins)");

            $STH->execute($data);

            $id = $this->DBH->lastInsertId();

            $this->closeDb();

            return $data['hash']; //Debugging
            return $id;
        } catch(PDOException $e) {
            $this->errHandler($e->getMessage());
        }
    }
}

Now, here's the output:

Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK
bool(true) 
bool(false) 

Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK
Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK

As you can see, both password_verify attempts fail. The first comes from the hash generation without any further manipulation, the second comes from the database.

What am I doing wrong?

The only thing I could find when searching was people testing and using double quotes, or random human error. This, however, doesn't appear to me to be either of those two.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
donglian8407 2015-10-25 05:35
关注
That password hash is for the empty string, try it yourself:

<?php echo password_verify('', '$2y$10$4Y7kQNP/6XyBtQQ4zPI6ZuaelCjHdWE.kBRTUVk56J7PV4BQYWoUS')?'Y':'N'; ?>

Make sure you're passing createHash a valid $password.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP：password_verify总是返回false php
2017-04-29 12:13

回答 2 已采纳 You need to pass simple text password without hash as first param if ( password_verify($login_pas
php password_hash和password_verify失败 php
2017-10-22 11:17

回答 2 已采纳 You can do this via while loop and mysqli_fetch_array(). That must solve your problem.: [UPDATED]
为什么password_verify返回false？ php
2018-06-18 13:18

回答 1 已采纳 There are a variety of reasons why password_verify could be returning false, it can range from the
大数据技术之数据安全与网络安全——CMS靶场(文章管理系统)实训
2023-11-25 00:25

星川皆无恙的博客数据与网络安全作为保障大数据系统正常运行的基石，同样备受关注。今天写博客时候发现自己很久没更新数据安全与网络安全方面的内容了，于是花了点时间写一篇CMS靶场实训博客。本文通过CMS靶场实训，深入分析CMS系统...
无法使用password_verify验证密码 php
2019-01-10 21:17

回答 2 已采纳 @YashKaranke what is the password column's length? – Funk Forty Niner @FunkFortyNiner It is 5
password_verify不返回true / false php
2017-04-28 12:24

回答 1 已采纳 After testing your entire code, I have come to the following conclusion. The problem here is that
为什么password_verify为正确的密码返回false？ php
2018-03-15 20:55

回答 1 已采纳 Not sure if answering is a good idea .. but ill try To use password_verify you must have a hashse
大数据入门教程
2020-01-08 16:29

时ˇ移的博客 VMware Workstation 是一种虚拟机管理软件，安装该软件后，可以创建多个虚拟机（即虚拟PC），然后在虚拟机上安装操作系统即可，每台虚拟机本身就像一台真正地电脑一样。 1.2.2 VMware 的主要特点： (1)可以在同一...
PHP password_verify false negative [关闭] php
2017-08-25 17:31

回答 1 已采纳 Check your table structure. Your hash field needs to be of length 60 (for PASSWORD_BCRYPT) or 255
PHP中的password_verify无法使用数据库 mysql php
2015-12-03 11:49

回答 1 已采纳 You are not passing the user password into password_hash() function. The first parameter should be
使用password_verify登录CodeIgniter php
2019-01-09 19:31

回答 1 已采纳 What you need to do is fetch the record from the DB where only the email matches (assuming it is t
使用PHP和Apple Passbook的数字票
2020-08-13 04:14

culi3118的博客 Why should we PHP warriors care at all about Apple’s Passbook? Well first because Apple made this technology open (well, sort of…), second because it can be used outside iOS devices, and third ...
登录时如何检查Password_Verify哈希？ php
2018-01-29 04:36

回答 3 已采纳 Your code is vulnerable to SQL-Injection Please use Prepared Statements instead of inserting your
symfony后台系统_Symfony2预注册和邀请系统
2020-08-28 07:19

culi4814的博客 The app will verify the user name and password. 用户登录。应用程序将验证用户名和密码。 Optionally, the app can do some post-login activities. In this case, we will update the user’s last login date/...
ChatGPT 和 Elasticsearch：OpenAI 遇见私有数据（二）
2023-04-28 21:00

Elastic 中国社区官方博客的博客 FINGERPRINT), # basic_auth=(USERNAME, PASSWORD), # verify_certs = False) # resp = es.info( print((resp)) hf_model_id='sentence-transformers/all-distilroberta-v1' tm = TransformerModel(hf_model_id, ...
大数据实战记录
2020-12-14 16:16

Beth_Chan的博客 Verify the network connection [root@hadoop01 ~]# ping hadoop01 PING hadoop01 (172.16.235.134) 56(84) bytes of data. 64 bytes from hadoop01 (172.16.235.134): icmp_seq=1 ttl=64 time=0.041 ms 64 bytes ...
大数据笔记
2019-10-03 16:33

diyinjiao1404的博客 :返回刚刚执行命令的结果，0表示成功，非0表示失败　2.$#:表示获取参数的个数　eg:rm -r bin //$# 2（含bin）　eg:if[$# -gt 1] 　3.$n:表示取第n个参数　4.$@:表示所有参数　5.shift:表示向左移动...
phing_通过Phing部署和发布您的应用程序
2020-08-27 03:20

culi4814的博客 value syntax, for example: project.properties文件只是一个文本文件，它使用键值语法存储设置，例如： ftp.host=host.example.com ftp.port=21 ftp.username=example ftp.password=123456 app.home=${ftp.host...
大数据项目实施笔记
2020-03-20 09:19

CN丶LRH的博客但是目前大数据风控还存在时效性差，准确性不高等问题。综合用户分析平台包含综合数据分析|登陆风险|注册风险|交易风险|活动风险分析等模块。以下是个各个子系统之间的关系。业务系统：通常指的是APP+后台或Web...
没有解决我的问题, 去提问

悬赏问题

¥15 Qt下使用tcp获取数据的详细操作
¥15 idea右下角设置编码是灰色的
¥15 全志H618ROM新增分区
¥20 jupyter保存图像功能的实现
¥15 在grasshopper里DrawViewportWires更改预览后，禁用电池仍然显示
¥15 NAO机器人的录音程序保存问题
¥15 C#读写EXCEL文件，不同编译
¥15 MapReduce结果输出到HBase，一直连接不上MySQL
¥15 扩散模型sd.webui使用时报错“Nonetype”
¥15 stm32流水灯＋呼吸灯＋外部中断按键

PHP password_verify错误地返回false

1条回答 默认 最新

悬赏问题

1条回答默认最新