I have the following snippet of code:
// bcrypt hash of 'password'
$hash = '$2y$10$4u0cQ.WEnwHDo.C5Nl1vm.shKA0beQ32wqzphSfzklAq9OcDM2nLu';
if(password_verify('password', $hash)) {
print_r('woohoo!');
}
else {
print_r('fubar');
}
On one server it's working fine (woohoo!), on another it doesn't work. I've just put it up on codepad.org and it fails there too.
The problem is (as can be see on that codepad page) that the hash computed by crypt is of length 13 instead of the required 60.
I'm using ircmaxel's password_compat library on github to implement the PHP 5.5 only password_verify function.
It seems that you are running the script on a PHP version smaller than 5.3.7, and therefore the algorithm '2y' is not yet known.
If possible, i would consider to do a PHP upgrade on this server, the '2y' parameter solves a problem with unicode input strings.
Should this not be an option, then you can replace the algorithm in the compatibility pack. Somewhere about line 49 you will find...
$hash_format = sprintf("$2y$%02d$", $cost);
...change it to the former BCrypt constant '2a'...
$hash_format = sprintf("$2a$%02d$", $cost);
...this is of course not optimal, but it is the best you can do on earlier versions.
A new generated password hash will now start with '$2a$10$...' and the verification with this hash-value should work on every system.
来源:https://stackoverflow.com/questions/15090481/password-verify-call-returning-false-for-correct-password