Karaethon Posted March 17, 2019 Share Posted March 17, 2019 (edited) I copied the code for password_hash at php.net: <?php /** * In this case, we want to increase the default cost for BCRYPT to 12. * Note that we also switched to BCRYPT, which will always be 60 characters. */ $options = [ 'cost' => 12, ]; echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options); ?> and changed it for use in my login page: $options = ['cost' => 12,]; $user = mysqli_real_escape_string($db_link,$_GET['username']); $pass = password_hash($_GET['password'], PASSWORD_BCRYPT, $options); but my page keeps saying invalid user/pass. Upon echoing the $pass I find that the result changes EACH time. so I created a test page that runs the code from php.net (verbatim code) 20x and I got: [pre] $2y$10$Nlf0J520viR4C5jd3nIdd.6M3OMKACx503Jm3PiXDYZIs.13XAheq $2y$10$SO1ip3JI.EGjUJb3JYUDSeAUszg6A3UBX9b.ENk2aythAuxQ1apxS $2y$10$Ub7cQSbFWXhkLrzm3ldGGe8FfgsOjS99vgj9l801yqXgPjvJmVpsm $2y$10$8fNzz/tmrg8tLdHOk0r7GOh0j1frKN3ujA/qzrFHi/s22jMO/hbri $2y$10$o.5LnDxkhw/YNxJT16fuIOiQbnhHKs51SqFTqQ3KsflY6nYV.HLLm $2y$10$zQZiauRe6tuF2rGd1XGcO.E7ekhfP68Sqih8ll9Om7n5c2NO3tPSu $2y$10$uLZXDAQu14EW8P4CMMICBuvRv0wOEAxghzJV1c9UuNK7yTRJNNdjO $2y$10$P6Uy4/PDOnE9zv/VxRAWFebKY/qYXj1unIrTvV42xUxe.zXx3ut2W $2y$10$uHb8qdh3CGe0BkXdyuThHu0vgAH5bxEPYMe0VK410Q7xqcAlC.xuy $2y$10$xXwbec0Cn0JcMorGgmmRY.qHW.N1pNoYq.2V.IAQHsCDYPXtgQyJ6 $2y$10$w88m.M6BmVVoYYBhM1IAquOIb4NH9n093nQmdzhKm0Fq2ykgcZFZm $2y$10$IkVTs7.z4rZt5/rkgRQnKeXfINb7VTqXxTDRZB9caR4X0rwKtdhIW $2y$10$XyjX0X0I.l4Ct9eF4zhhz.S5Cg/Ppqf3veL9ciehjBr/2Rp8usPCm $2y$10$iJkhIWl95TVlA4hw2nltd./YmyXA2.abqTu8WFs/YuEvJsndosv6W $2y$10$kwVNtAaKxG8z2m.D0evl..Xx64NWPxbFAIBjCDLBfgiJncgniBB7S $2y$10$m8ZyiI7HhXutyTZGySit/O3lmAGsIlfRqEcYc7eCV2XS9TS1Sw9/y $2y$10$uYDilXy1HKT9M6DiPUhAe.3W5teCpkTF4x5UgVYiJctz4HXNMzU9e $2y$10$0HDD2quyh2AfMeF41PbKTu7PGTPn2fcl42HLxweaIHay9KbPDrEh6 $2y$10$qc0Kt5VtkrslpLlQmvq5a.dboTbf8qEif9KOwYwjoGGh6Q.xoN8JK [/pre] Is password_hash broken? or am I mistaken to think that it's supposed to return the same output everytime fror the same input? Edited March 17, 2019 by Karaethon typos corrected Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 17, 2019 Share Posted March 17, 2019 password_hash() is used when the hash of a password is saved, i.e. during registration/password changes, and the hash it produces for a given input is different each time since a random salt is generated and used each time it is called. password_verify() is used to test if a submitted password corresponds to a saved hash. Quote Link to comment Share on other sites More sharing options...
Karaethon Posted March 17, 2019 Author Share Posted March 17, 2019 Ahhh. ok... so I use _hash when the user registers or edits their password and _verify when they log in? Kinda wish the php documentation said something about that, or at least I didn't catch it if it did. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 18, 2019 Share Posted March 18, 2019 There isn't a tutorial on password hashing, if that's what you mean, but the documentation for password_hash does say it creates passwords, and that the returned value can be used with password_verify() to verify the hash. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.