如何比较用户输入的散列密码？

I want my login password to be secured. So I came up to use the PHP's crypt() function to hash the password before inserting it to database. But Im having trouble when comparing the user input password from the converted hash password. Here's my code:

<?php
$password = 'hello_password';

# A higher "cost" is more secure
$cost = 10;

# Create a random salt
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');

# Blowfish algorithm. 
$salt = sprintf("$2a$%02d$", $cost) . $salt;
$salted_password = $password . $salt;  // apply salt to password

# hash the password
$hash_password = hash('sha256', $salted_password);

$userInput = 'hello_password';  // suppose this is the user input password 

if (hash('sha256',$userInput) == $password) {
    echo "Password Verified.";
}
else {
    echo "Incorrect Password";
}

But it always displays Incorrect Password although my password is correct. I don't want to use "hash_equals" function as it is not supported with my current PHP version. Can someone help me with this ? Thanks

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dquoj04882 2015-02-09 00:15
关注
You're comparing a hashed user input to the actual user password. So of course this is never going to work.

You're basically asking if hash == 'hello_password'. A hash will never match that, that is the whole point of a hash. You also aren't using the salt with the user input.

You hash the actual password with a salt which is fine:

$salted_password = $password . $salt; // apply salt to password # hash the password $hash_password = hash('sha256', $salted_password);

So you need to hash the user input with the salt, the same way:

$salted_input = $userInput . $salt; // apply salt to user input # hash the input $hash_input = hash('sha256', $salted_input);

Then you can compare $hash_input with $hash_password.

You also aren't using a salt properly. The salt is supposed to be used in the storage of the password to prevent rainbow table attacks. Randomly generating a salt to apply to both the input and the password at the time of comparison is pointless.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

在 PHP 中如何使用 bcrypt 实现散列密码？ php
2011-01-25 15:34

回答 9 已采纳 bcrypt is a hashing algorithm which is scalable with hardware (via a configurable number of rounds
PHP登录代码错误与散列密码 php
2014-06-13 13:47

回答 2 已采纳 Your password seems to be the first 30 characters of the hash... i think it may have something to
我应该在使用AJAX发送时散列密码吗？ ajax php
2014-08-03 08:51

回答 2 已采纳 The common approach is to send the passwords as plain text to the server (making an AJAX call, in
php不用密码登录,使用散列密码登录PHP
2021-04-28 07:52

波澜不惊的蓝果冻的博客正如标题所示,在注册表单中对密码进行哈希处理后,我无法登录用户.我已经使用了PHP内置的password_hash()和password_verify()函数,但它在signin.php上,其中使用了password_verify(),我遇到了麻烦.我知道password_...
NodeJS如何散列缓冲区？ node.js php
2018-09-05 10:08

回答 1 已采纳 I think this question might stem from a misunderstanding of what Node.js buffers are. They are rea
mysql查询用散列密码更新数据库 mysql php
2017-04-11 11:03

回答 1 已采纳 You should never, under any circumstances, store the password in plain-text. This means that when
使用Linux用来散列用户密码的算法来散列字符串？ php
2011-06-16 03:48

回答 2 已采纳 You might need to know some background information on Linux password storage formats - especially
php密码登录,使用散列密码登录PHP
2021-04-28 08:22

网络游侠的博客正如标题所示,在注册表单中对密码进行哈希处理后,我无法登录用户.我已经使用了PHP内置的password_hash()和password_verify()函数,但它在signin.php上,其中使用了password_verify(),我遇到了麻烦.我知道password_...
从数据库验证散列密码 html5 php
2015-09-29 10:56

回答 2 已采纳 In this line if(password_verify($myPassword, $result2 )){ the variable $result2 is supposed to
将确认密码与散列密码进行比较 Laravel 4 laravel mysql php
2013-08-25 03:27

回答 1 已采纳 Don't pass the hashed password to the validator. Hash it before you save it: public function getS
PHP代码审计----5、密码散列安全
2021-07-06 10:27

七天啊的博客文章目录1、密码散列化2、md5() 和 sha1()问题3、如何对密码进行散列处理？4、“盐”是什么？...当设计一个需要接受用户密码的应用时，对密码进行散列是最基本的，也是必需的安全考虑。如果不对密码
php计算字符串散列,php计算字符串的MD5散列
2021-03-23 22:48

胡辰鑫的博客实例计算字符串 "Hello" 的 MD5 散列：
php密码加密函数,PHP 用户密码加密函数password_hash
2021-04-28 03:17

weixin_39521651的博客自PHP5.5.0之后，新增加了密码散列算法函数(password_hash)，password_hash() 使用足够强度的单向散列算法创建密码的散列(hash)。 password_hash() 兼容 crypt()。所以， crypt() 创建的密码散列也可用于 password_...
php清理在线用户,php – 清理用户密码
2021-04-16 01:22

ElemeFe的博客你不应该逃避，修剪或使用任何其他清理机制的密码，你将使用PHP的password_hash()散列有多个原因，其中最大的一个是因为做额外的清理密码需要不必要的附加代码。你会争论(在你的系统中...散列密码的行为是使密码安...
没有解决我的问题, 去提问

悬赏问题

¥15 安卓adb backup备份应用数据失败
¥15 eclipse运行项目时遇到的问题
¥15 关于#c##的问题：最近需要用CAT工具Trados进行一些开发
¥15 南大pa1 小游戏没有界面，并且报了如下错误，尝试过换显卡驱动，但是好像不行
¥15 没有证书，nginx怎么反向代理到只能接受https的公网网站
¥50 成都蓉城足球俱乐部小程序抢票
¥15 yolov7训练自己的数据集
¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)（相关搜索：51单片机|单片机|测试代码）
¥15 电力市场出清matlab yalmip kkt 双层优化问题
¥30 ros小车路径规划实现不了，如何解决？(操作系统-ubuntu)