[BUG]: Secruity component hash same string get changed result on every reqeust;

phalcon / cphalcon

High performance, full-stack PHP framework delivered as a C extension.

https://phalcon.io

BSD 3-Clause "New" or "Revised" License

10.79k stars 1.96k forks source link

[BUG]: Secruity component hash same string get changed result on every reqeust; #16039

Closed zikezhang closed 2 years ago

zikezhang commented 2 years ago

Code:

echo $this->security->hash('Phalcon'). "\n";
die();

Result is changed on every request :

$2y$10$s1EeIKSeZp/e/plDErWhGOnkL9iGJwUYlZUqrBBqoK4KWgfxlpb6S
$2y$10$Nux9UDiW8PoCTyrcEd6g/.azT352GoGZVQcasHsbqFyLx5CmpNzZC
$2y$10$AKxccUPJ8lWWqOfBlNpma.J3IXkQmsVs2WIdKBTCuUlEOhKVGmfk.
......

I wanna save the hashed password in DB. But found that the hashed password is changed on every request.

Details

Phalcon version: (php --ri phalcon) 5.0.0RC2
PHP Version: (php -v) 8.1
Operating System: Ubuntu
Installation type: By Perl
Server: Apache
Other related info (Database, table schema): MySQL

ALameLlama commented 2 years ago

Hey @zikezhang, This is normal since it's using a salt that's randomized, If you take one of the examples you've provided and put them into the checkHash function they'll return true.

$hash = '$2y$10$AKxccUPJ8lWWqOfBlNpma.J3IXkQmsVs2WIdKBTCuUlEOhKVGmfk.';

echo $this->security->checkHash('Phalcon', $hash)

You can get more information about it here: https://docs.phalcon.io/5.0/en/encryption-security

If you're trying to put it into the database and then read it later you'll want to encrypt it and not hash it :) https://docs.phalcon.io/5.0/en/encryption-crypt

zikezhang commented 2 years ago

@LlamaDuckGoose Yes. Thank you. I have found that the PHP native function password_hash() also return result dynamically. https://www.php.net/manual/en/function.password-hash.php