7

I'm using Mr. Andrew Moore's method (How do you use bcrypt for hashing passwords in PHP?) of hashing user's password. What I did is I have a registration page and it uses 

$bcrypt = new Bcrypt(12);
$pass = $_POST['password']; //register password field
$hash= $bcrypt->hash($pass);

// then inserts $hash into database with users registered email (I've checked my mysql database and it indeed has an hashed item

Then I have a login page, consisting of email and password fields. My thought is that email addresses are unique in my database. So with that in mind, I made a script where it check's users email address first, then if there is an existing one, verify the hash password with this

$bcrypt = new Bcrypt(12);

$email = $_POST['email']; //from login email field
$pass_l = $_POST['password']; // from login password field
$hash_1= $bcrypt->hash($pass_1);

$chk_email= $dbh->prepare("SELECT password FROM table WHERE email = ?");
$chk_email -> execute(array($email));

while($row = $chk_email->fetch(PDO::FETCH_ASSOC)){
    $chk_pass = $row['password']; //inside a while loop to get the password
    $pass_isGood = $bcrypt->verify($hash_1, $chk_pass);
    var_dump($pass_isGood); // I'm getting false

}

I'm not sure what I'm doing wrong, I'm supposed to get true. And I have set my tablefield to text or even varchar(256)

4

2 に答える 2

7

Using Andrew Moore's class, you need to call the class verify() method to verify that the user's password matches the hash. The two parameters you pass to it are the plaintext password the user entered and the hash that you stored in the database.

It seems you passed a second hashed password to verify() instead, which is why it's not working. Pass in the plaintext password as the first argument.

于 2012-07-14T18:56:22.790 に答える
4

したがって、明示的に@Michaelの回答に基づいて構築する必要があります(Andrew Moooreのソリューションも検討していたため)。

これの代わりに:

$hash_1= $bcrypt->hash($pass_1);
$chk_pass = $row['password']; //inside a while loop to get the password
$pass_isGood = $bcrypt->verify($hash_1, $chk_pass);

あなたはこれを必要とします:

$pass_l = $_POST['password'];
$chk_pass = $row['password']; //inside a while loop to get the password
$pass_isGood = $bcrypt->verify($pass_l, $chk_pass);
//notice how 1st parameter of verify(is the text input and not its hashed form
于 2012-07-16T22:30:12.313 に答える