2017-06-20 20:44
浏览 82

是否需要从数据库中获取哈希? password_hash bcrypt [复制]

This question already has an answer here:

I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.

password_hash($password, PASSWORD_BCRYPT);

As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?

Is it really necessary to make this query and then check?

I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?

Or something else maybe? I remember years ago I used something like checking inside query, like

WHERE login = $login and pass = PASSWORD($password)

Especially I mean this PASSWORD($password)?

Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • drryyiuib43562604
    drryyiuib43562604 2017-06-20 20:46

    Yes, it's necessary. You need the unique salt generated during hashing, encoded as part of the hash, to do the comparison. That's also exactly why this algorithm is so strong for password storage.

    点赞 评论