If you're curious to use this method to determine if there is someway to evaluate if a given string is NOT a password_hash() value...
<?php
// Our password.. the kind of thing and idiot would have on his luggage:
$password_plaintext = "12345";
// Hash it up, fuzzball!
$password_hash = password_hash( $password_plaintext, PASSWORD_DEFAULT, [ 'cost' => 11 ] );
// What do we get?
print_r( password_get_info( $password_hash ) );
/* returns:
Array (
[algo] => 1
[algoName] => bcrypt // Your server's default.
[options] => Array ( [cost] => 11 )
)
*/
// What about if it's un-hashed?...
print_r( password_get_info( $password_plaintext ) );
/* returns:
Array (
[algo] => 0
[algoName] => unknown
[options] => Array ( )
)
*/
?>
... Looks like it's up to each of us to personally decide if it's safe to compare against the final returned array.
password_get_info
(PHP 5 >= 5.5.0, PHP 7, PHP 8)
password_get_info — Retourne des informations à propos du hachage fourni
Description
Lorsqu'il est passé un hachage valide, créée par un algorithme supporté par la fonction password_hash(), cette fonction retournera un tableau d'information à propos de ce dernier.
Liste de paramètres
-
hash -
Un hachage créé par la fonction password_hash().
Valeurs de retour
Retourne un tableau associatif contenant trois éléments :
-
algo, qui doit correspondre à une constante de l'algorithme de mot de passe -
algoName, qui correspond au nom humainement lisible de l'algorithme -
options, qui contient les options fournies lors de l'appel de la fonction password_hash()
add a note
User Contributed Notes 2 notes
cbungholio at gmail dot com ¶
7 years ago
lincoln dot du dot j at gmail dot com ¶
7 years ago
<?php
$a= password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
var_dump(password_get_info($a));
//change every refresh
var_dump($a);
?>
//Output like
array(3) {
["algo"]=>
int(1)
["algoName"]=>
string(6) "bcrypt"
["options"]=>
array(1) {
["cost"]=>
int(10)
}
}
string(60) "$2y$10$wKEZs6W//QDoOeTKSCXx7.Y9Q7duFEtJpFFuJn1G5GhyWTTit/tL2"
