password_get_info()
(PHP 5 >= 5.5.0, PHP 7)
返回指定散列(hash)的相关信息
说明
password_get_info(string $hash): array
如果传入的散列值(hash)是由password_hash()支持的算法生成的,这个函数就会返回关于此散列的信息数组。
参数
- $hash
一个由password_hash()创建的散列值。
返回值
返回三个元素的关联数组:
- algo,匹配密码算法的常量
- algoName,人类可读的算法名称
- options,调用password_hash()时提供的选项。
If you're curious to use this method to determine if there is someway to evaluate if a given string is NOT a password_hash() value... <?php // Our password.. the kind of thing and idiot would have on his luggage: $password_plaintext = "12345"; // Hash it up, fuzzball! $password_hash = password_hash( $password_plaintext, PASSWORD_DEFAULT, [ 'cost' => 11 ] ); // What do we get? print_r( password_get_info( $password_hash ) ); /* returns: Array ( [algo] => 1 [algoName] => bcrypt // Your server's default. [options] => Array ( [cost] => 11 ) ) */ // What about if it's un-hashed?... print_r( password_get_info( $password_plaintext ) ); /* returns: Array ( [algo] => 0 [algoName] => unknown [options] => Array ( ) ) */ ?> ... Looks like it's up to each of us to personally decide if it's safe to compare against the final returned array.
<?php $a= password_hash("rasmuslerdorf", PASSWORD_DEFAULT); var_dump(password_get_info($a)); //change every refresh var_dump($a); ?> //Output like array(3) { ["algo"]=> int(1) ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) } } string(60) "$2y$10$wKEZs6W//QDoOeTKSCXx7.Y9Q7duFEtJpFFuJn1G5GhyWTTit/tL2"
<?php var_dump(password_get_info($hash)); // Example array(3) { ["algo"]=> int(1) ["algoName"]=> string(6) "bcrypt" ["options"]=> array(1) { ["cost"]=> int(10) } } ?>