public function PhpassHashedPassword::check in Drupal 10
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/Password/PhpassHashedPassword.php \Drupal\Core\Password\PhpassHashedPassword::check()
- 9 core/lib/Drupal/Core/Password/PhpassHashedPassword.php \Drupal\Core\Password\PhpassHashedPassword::check()
Check whether a plain text password matches a hashed password.
Parameters
string $password: A plain-text password
string $hash: A hashed password.
Return value
bool TRUE if the password is valid, FALSE if not.
Overrides PasswordInterface::check
File
- core/
lib/ Drupal/ Core/ Password/ PhpassHashedPassword.php, line 222
Class
- PhpassHashedPassword
- Secure password hashing functions based on the Portable PHP password hashing framework.
Namespace
Drupal\Core\PasswordCode
public function check($password, $hash) {
if (substr($hash, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5() (see the
// Drupal 7 documentation).
$stored_hash = substr($hash, 1);
$password = md5($password);
}
else {
$stored_hash = $hash;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$computed_hash = $this
->crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$computed_hash = $this
->crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
// Compare using hash_equals() instead of === to mitigate timing attacks.
return $computed_hash && hash_equals($stored_hash, $computed_hash);
}