PHP 和 SQL 哈希帮助 : What am I doing wrong?

Question

首先，我对一般编码相当陌生，因此散列的概念有点令人困惑。本质上，我试图对密码进行哈希处理，以便将其存储在数据库中，因此我没有纯文本形式的密码(我被告知这是最好的方法，尽管我不认为会是这样)如果密码没有经过哈希处理，那就是一个很大的问题，因为这仅在一小群人中使用，我可以通知他们不要使用他们关心的密码，但仍然建议我这样做)。

我查阅了一些指南，并且可以使用一些帮助来理解这一点。我将包括对密码进行哈希处理的方式以及如何将它们从数据库中提取出来，以帮助理解这个问题。如果这是一个愚蠢的问题，请提前道歉。请注意，我不太明白这一点，这就是我问这个问题的原因。

注意:诸如 $login_username 和 $login_password 之类的包含变量已被正确提取，我只是不想包含它们，因为它会使帖子变得更加困惑。

注册用户(已尝试password_default和password_bcrypt，但我没有看到区别):

require_once 'database.php';
    $hash_employee_password = password_hash($employee_password, PASSWORD_DEFAULT);

    $query = "INSERT INTO employee
                 (employee_id, employee_first_name, employee_last_name,
                 employee_username, employee_email, employee_password)
              VALUES
                 (:employee_id, :employee_first_name, :employee_last_name, 
                 :employee_username, :employee_email, :employee_password);";

    //VALUES (".$employee_id.", '" . $employee_first_name."', '" . $employee_last_name . "', '".$employee_username."', '".$employee_email."', '" . "$employee_password');";

    $statement = $db->prepare($query);
    $statement->bindValue(':employee_id', $employee_id);
    $statement->bindValue(':employee_first_name', $employee_first_name);
    $statement->bindValue(':employee_last_name', $employee_last_name);
    $statement->bindValue(':employee_username', $employee_username);
    $statement->bindValue(':employee_password', $hash_employee_password);
    $statement->bindValue(':employee_email', $employee_email);
    $statement->execute();
    $statement->closeCursor();

    //echo $query;
    $message = 'You have been successfully registered. Contact your manager in order to request account confirmation.';
    include ('success.php');

记录登录:

require_once 'database.php';
include 'register_user.php';

$pwordQuery = "SELECT employee_password from employee where employee_username = :login_username";
$pwstatement = $db->prepare($pwordQuery);
$pwstatement->bindValue(':login_username', $login_username);
$pwstatement->execute();
$result = $pwstatement->fetch();
$pwstatement->closeCursor();


echo $result[0];

if(password_verify($login_password, $result[0]))
{
    echo ' TRUE';
}
else
{
    echo ' FALSE ';
}   

问题是:我输入了正确的用户名和密码，但得到的结果是“FALSE”回显。如果您有任何想法，请告诉我。忽略这样一个事实:我有大量工作要做，例如将查询放入函数中并以这种方式调用它们......这些都保存到以后。

Answer 1

"password column's length is what? if it's anything less than 60, mysql failed on you silently. 9 times out of 10, that's what the problem is. If so, then you'll need to start all over again by clearing your db and create a new hash. – Fred -ii- 13 mins ago"

我一直以来都是对的:

@Fred Well it looks like having the column length being 45 was a bad idea and that was my only problem. Thanks for the help, not entirely sure how this site works so I don't know how to give you rep or anything."

根据 password_hash() 函数的手册:

http://php.net/manual/en/function.password-hash.php

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).