dsideal2015 2014-10-08 10:54
浏览 41
已采纳

使用password_hash [duplicate]验证密码是否已经哈希和盐渍

This question already has an answer here:

Let's hash and salt a password with:

<?php
$hash = password_hash('bonjour', PASSWORD_BCRYPT,  ['cost' => 12, ]);
// no salt option mentionned 
// then salt will be generated randomly, see password_hash documentation     
echo $hash;
?>

The result changes on each reload of the page, that's normal : the salt is randomly generated, it can be :

$2y$12$FlxBBjTjelKkGY.SJarlL.THUZBwcl7M6V35DmZmTmYJZRwhpRkIW
$2y$12$p2pkD116hBHNc/2nyQ2WyOkrn.h8xvWvM1.Lmvsnhms2Y6zsb.j1e
$2y$12$u4ipdQQM926jfanpXnwtkupv2CH/uWoPvK563tG7p.z35GcOBOZdS
etc.

In the previous code, the salt seems to be stored nowhere (am I wrong ?). But at the end password_verify is able to check the password with the hash, and it works with every result, regardless what the salt was. 

<?php
echo password_verify('bonjour', '$2y$12$FlxBBjTjelKkGY.SJarlL.THUZBwcl7M6V35DmZmTmYJZRwhpRkIW') ? 'yes' : 'no';
// yes
echo password_verify('bonjour', '$2y$12$p2pkD116hBHNc/2nyQ2WyOkrn.h8xvWvM1.Lmvsnhms2Y6zsb.j1e') ? 'yes' : 'no';
// yes
?>

Is it normal that password_verify is able to check the password without having to store the salt somewhere? 

</div>
  • 写回答

1条回答 默认 最新

  • dongzhuzhou4504 2014-10-08 10:57
    关注

    From the PHP.net manual

    Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

    The salt is encoded in the hash, basically.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?