问题
I am trying to understand how password_verify work to use it for resetting the password. I would've thought this would've worked, but the hashed don't seem to match?
$sUniqueCode = uniqid('1234', true);
$sHash1 = password_hash($sUniqueCode, PASSWORD_DEFAULT);
$sHash2 = password_hash($sUniqueCode, PASSWORD_DEFAULT);
$sHash3 = password_hash($sUniqueCode, PASSWORD_DEFAULT);
echo "Hash 1: ".$sHash1."<br>";
echo "Hash 2: ".$sHash2."<br>";
echo "Hash 3: ".$sHash3."<br>";
if(password_verify($sHash1, $sHash1)) {
echo "Hash 1 = hash 2 <br>";
}
if(password_verify($sHash3, $sHash1)) {
echo "Hash 1 = hash 3";
}
I don't get an echo of the last two conditions, what am I missing here?
Context
Why I want to understand this is because I want to generate one hash of the same unique_id to be stored in the database, and 1 to be send in an email as GET-variable.
If the example above does not work, the comparison of the two hashes on my website will not validate to true either, right?
回答1:
Every hash generated using password_hash() is salted with a different salt, so $sHash1, $sHash2 and $sHash3 will all be different
password_verify() is used to compare a plaintext password against a hashed password, not two hashes with each other; use password_verify() to compare $sUniqueCode with any of the hashes that you have generated
if (password_verify($sUniqueCode, $sHash1)) { ... }
EDIT
Rather than sending a password hash through email, which isn't useful in any way, send a nonce link for initial account access, or new password generation
来源:https://stackoverflow.com/questions/35419607/trying-to-understand-password-verify-php