drfb52000
2017-06-20 20:44
浏览 82
已采纳

是否需要从数据库中获取哈希? password_hash bcrypt [复制]

This question already has an answer here:

I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.

password_hash($password, PASSWORD_BCRYPT);

As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?

Is it really necessary to make this query and then check?

I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?

Or something else maybe? I remember years ago I used something like checking inside query, like

WHERE login = $login and pass = PASSWORD($password)

Especially I mean this PASSWORD($password)?

Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?

</div>

图片转代码服务由CSDN问答提供 功能建议

此问题已经存在 这里有一个答案:

  • 试图理解password_verify PHP 1回答

    我使用PHP的password_hash和bcrypt算法来哈希我的密码。 它们位于MySQL数据库中。

      password_hash($ password,PASSWORD_BCRYPT); 
       
     
     

    显然每生成一个哈希值 通过这个功能是不同的。 但是真的有必要通过电子邮件/登录识别用户或从数据库中获取哈希值然后用PHP的 password_verify()验证它吗?

    是 是否真的有必要进行此查询,然后检查?

    我的意思是,是否可以在之前检查哈希,之后只进行查询以检查它是否与MySQL中的匹配?

    还是别的什么? 我记得几年前我用过像查询内部查询一样的东西,比如

      WHERE login = $ login和pass = PASSWORD($ password)
        
     
     

    特别是我的意思是 PASSWORD($ password)

    除了从数据库获取用户的哈希还有其他选项,然后验证这个哈希 使用 password_verify()

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • drryyiuib43562604 2017-06-20 20:46
    已采纳

    Yes, it's necessary. You need the unique salt generated during hashing, encoded as part of the hash, to do the comparison. That's also exactly why this algorithm is so strong for password storage.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题