public function PhpassHashedPassword::check
public PhpassHashedPassword::check($password, $hash)
Check whether a plain text password matches a hashed password.
Parameters
string $password: A plain-text password
string $hash: A hashed password.
Return value
bool TRUE if the password is valid, FALSE if not.
Overrides PasswordInterface::check
File
- core/lib/Drupal/Core/Password/PhpassHashedPassword.php, line 221
Class
- PhpassHashedPassword
- Secure password hashing functions based on the Portable PHP password hashing framework.
Namespace
Drupal\Core\PasswordCode
public function check($password, $hash) {
if (substr($hash, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5() (see the
// Drupal 7 documentation).
$stored_hash = substr($hash, 1);
$password = md5($password);
}
else {
$stored_hash = $hash;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$computed_hash = $this->crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$computed_hash = $this->crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
// Compare using hashEquals() instead of === to mitigate timing attacks.
return $computed_hash && Crypt::hashEquals($stored_hash, $computed_hash);
}
© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.
https://api.drupal.org/api/drupal/core!lib!Drupal!Core!Password!PhpassHashedPassword.php/function/PhpassHashedPassword::check/8.1.x