drfb52000 2017-06-20 20:44
浏览 82
已采纳

是否需要从数据库中获取哈希? password_hash bcrypt [复制]

This question already has an answer here:

I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.

password_hash($password, PASSWORD_BCRYPT);

As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?

Is it really necessary to make this query and then check?

I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?

Or something else maybe? I remember years ago I used something like checking inside query, like 

WHERE login = $login and pass = PASSWORD($password)

Especially I mean this PASSWORD($password)?

Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?

</div>
  • 写回答

1条回答 默认 最新

  • drryyiuib43562604 2017-06-20 20:46
    关注

    Yes, it's necessary. You need the unique salt generated during hashing, encoded as part of the hash, to do the comparison. That's also exactly why this algorithm is so strong for password storage.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 自动转发微信群信息到另外一个微信群
  • ¥15 outlook无法配置成功
  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换