drfb52000
2017-06-20 20:44
浏览 82
已采纳

是否需要从数据库中获取哈希? password_hash bcrypt [复制]

This question already has an answer here:

I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.

password_hash($password, PASSWORD_BCRYPT);

As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?

Is it really necessary to make this query and then check?

I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?

Or something else maybe? I remember years ago I used something like checking inside query, like

WHERE login = $login and pass = PASSWORD($password)

Especially I mean this PASSWORD($password)?

Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?

</div>

图片转代码服务由CSDN问答提供 功能建议

此问题已经存在 这里有一个答案:

  • 试图理解password_verify PHP 1回答

    我使用PHP的password_hash和bcrypt算法来哈希我的密码。 它们位于MySQL数据库中。

      password_hash($ password,PASSWORD_BCRYPT); 
       
     
     

    显然每生成一个哈希值 通过这个功能是不同的。 但是真的有必要通过电子邮件/登录识别用户或从数据库中获取哈希值然后用PHP的 password_verify()验证它吗?

    是 是否真的有必要进行此查询,然后检查?

    我的意思是,是否可以在之前检查哈希,之后只进行查询以检查它是否与MySQL中的匹配?

    还是别的什么? 我记得几年前我用过像查询内部查询一样的东西,比如

      WHERE login = $ login和pass = PASSWORD($ password)
        
     
     

    特别是我的意思是 PASSWORD($ password)

    除了从数据库获取用户的哈希还有其他选项,然后验证这个哈希 使用 password_verify()

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 邀请回答

1条回答 默认 最新

相关推荐 更多相似问题