Karaethon Posted March 17, 2019 Share Posted March 17, 2019 I copied the code for password_hash at php.net: <?php /** * In this case, we want to increase the default cost for BCRYPT to 12. * Note that we also switched to BCRYPT, which will always be 60 characters. */ $options = [ 'cost' => 12, ]; echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options); ?> and changed it for use in my login page: $options = ['cost' => 12,]; $user = mysqli_real_escape_string($db_link,$_GET['username']); $pass = password_hash($_GET['password'], PASSWORD_BCRYPT, $options); but my page keeps saying invalid user/pass. Upon echoing the $pass I find that the result changes EACH time. so I created a test page that runs the code from php.net (verbatim code) 20x and I got: [pre] $2y$10$Nlf0J520viR4C5jd3nIdd.6M3OMKACx503Jm3PiXDYZIs.13XAheq $2y$10$SO1ip3JI.EGjUJb3JYUDSeAUszg6A3UBX9b.ENk2aythAuxQ1apxS $2y$10$Ub7cQSbFWXhkLrzm3ldGGe8FfgsOjS99vgj9l801yqXgPjvJmVpsm $2y$10$8fNzz/tmrg8tLdHOk0r7GOh0j1frKN3ujA/qzrFHi/s22jMO/hbri $2y$10$o.5LnDxkhw/YNxJT16fuIOiQbnhHKs51SqFTqQ3KsflY6nYV.HLLm $2y$10$zQZiauRe6tuF2rGd1XGcO.E7ekhfP68Sqih8ll9Om7n5c2NO3tPSu $2y$10$uLZXDAQu14EW8P4CMMICBuvRv0wOEAxghzJV1c9UuNK7yTRJNNdjO $2y$10$P6Uy4/PDOnE9zv/VxRAWFebKY/qYXj1unIrTvV42xUxe.zXx3ut2W $2y$10$uHb8qdh3CGe0BkXdyuThHu0vgAH5bxEPYMe0VK410Q7xqcAlC.xuy $2y$10$xXwbec0Cn0JcMorGgmmRY.qHW.N1pNoYq.2V.IAQHsCDYPXtgQyJ6 $2y$10$w88m.M6BmVVoYYBhM1IAquOIb4NH9n093nQmdzhKm0Fq2ykgcZFZm $2y$10$IkVTs7.z4rZt5/rkgRQnKeXfINb7VTqXxTDRZB9caR4X0rwKtdhIW $2y$10$XyjX0X0I.l4Ct9eF4zhhz.S5Cg/Ppqf3veL9ciehjBr/2Rp8usPCm $2y$10$iJkhIWl95TVlA4hw2nltd./YmyXA2.abqTu8WFs/YuEvJsndosv6W $2y$10$kwVNtAaKxG8z2m.D0evl..Xx64NWPxbFAIBjCDLBfgiJncgniBB7S $2y$10$m8ZyiI7HhXutyTZGySit/O3lmAGsIlfRqEcYc7eCV2XS9TS1Sw9/y $2y$10$uYDilXy1HKT9M6DiPUhAe.3W5teCpkTF4x5UgVYiJctz4HXNMzU9e $2y$10$0HDD2quyh2AfMeF41PbKTu7PGTPn2fcl42HLxweaIHay9KbPDrEh6 $2y$10$qc0Kt5VtkrslpLlQmvq5a.dboTbf8qEif9KOwYwjoGGh6Q.xoN8JK [/pre] Is password_hash broken? or am I mistaken to think that it's supposed to return the same output everytime fror the same input? Link to comment Share on other sites More sharing options...
mac_gyver Posted March 17, 2019 Share Posted March 17, 2019 password_hash() is used when the hash of a password is saved, i.e. during registration/password changes, and the hash it produces for a given input is different each time since a random salt is generated and used each time it is called. password_verify() is used to test if a submitted password corresponds to a saved hash. Link to comment Share on other sites More sharing options...
Karaethon Posted March 17, 2019 Author Share Posted March 17, 2019 Ahhh. ok... so I use _hash when the user registers or edits their password and _verify when they log in? Kinda wish the php documentation said something about that, or at least I didn't catch it if it did. Link to comment Share on other sites More sharing options...
requinix Posted March 18, 2019 Share Posted March 18, 2019 There isn't a tutorial on password hashing, if that's what you mean, but the documentation for password_hash does say it creates passwords, and that the returned value can be used with password_verify() to verify the hash. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.