PASSWORD_THROW_ON_ERROR
password_verify ( string $password , string $hash, int $flags = 0 ) : bool
On Fri, 29 Jan 2021 at 16:01, Benjamin Morel
wrote:
> Hi all, thanks for the constructive feedback.
>
> On Fri, 29 Jan 2021 at 15:52, Marco Pivetta wrote:
>
> >
> > Gonna be the usual person sayi
Hi all, thanks for the constructive feedback.
On Fri, 29 Jan 2021 at 15:52, Marco Pivetta wrote:
>
> Gonna be the usual person saying: let's not clutter functions with more
> behavior than what's needed :-)
>
> If you need to validate a hash for being "well formed" rather than
> "matching", then
On Fri, Jan 29, 2021 at 3:45 PM Jesse Rushlow wrote:
> However having a third param to password_verify(), that is false by
> default, that would allow for
> an exception to be thrown in the event of an unknown algo / bad hash might
> be a better path forward and would be totally beneficial in my
>
> There are definitely a fair number of applications that use the above
> method to ensure backwards compatibility and a solid upgrade path, and as
> such I would be resistant to adding warnings/errors/exceptions here.
>
I think Anthony makes a valid point, to preserve BC adding errors /
excepti
On Wed, Jan 27, 2021 at 11:27 AM Benjamin Morel
wrote:
> Hi internals,
>
> I just spent some time debugging an authentication issue after upgrading
> PHP, and realized that it was due to ext-sodium not being installed, so
> password_verify() would always return false for argon2i hashes.
>
> Diggi
On 27/01/2021 16:26, Benjamin Morel wrote:
Shouldn't it throw an exception, or a least trigger a warning, when the
algorithm is unknown, or the hash is malformed? Returning false IMO, should
mean "I recognize this hash, but it doesn't match your password". "I don't
recognize this hash" is an appl
On Wed, Jan 27, 2021 at 10:27 AM Benjamin Morel
wrote:
> I just spent some time debugging an authentication issue after upgrading
> PHP, and realized that it was due to ext-sodium not being installed, so
> password_verify() would always return false for argon2i hashes.
>
> Digging a bit more, I r
Hi internals,
I just spent some time debugging an authentication issue after upgrading
PHP, and realized that it was due to ext-sodium not being installed, so
password_verify() would always return false for argon2i hashes.
Digging a bit more, I realized that password_verify() does not complain if
