{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 唯我独甜 的问题《How can password_verify validate passwords without》','https://www.manongdao.com/q-526892.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
The function password_verify() in the new PHP password API checks if the password corresponds to the hash. The hash is generated by password_hash(), that by default uses a random salt and a cost = 10.
I always thought (although I never studied it) that you have to store the salt inside the database and then when you want to verify the password, hash it with the given salt using the same cost. How can password_verify() check the password without knowing salt and cost?
The string returned by
password_hash()contains not only the hash, but also the algorithm, cost and salt.