function PhpassHashedPasswordBase::check
Same name in other branches
- 10 core/lib/Drupal/Core/Password/PhpassHashedPasswordBase.php \Drupal\Core\Password\PhpassHashedPasswordBase::check()
Overrides PasswordInterface::check
File
-
core/
lib/ Drupal/ Core/ Password/ PhpassHashedPasswordBase.php, line 192
Class
- PhpassHashedPasswordBase
- Legacy password hashing framework.
Namespace
Drupal\Core\PasswordCode
public function check($password, $hash) {
// Newly created accounts may have empty passwords.
if ($hash === NULL || $hash === '') {
return FALSE;
}
if (str_starts_with($hash, 'U$')) {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5() (see the
// Drupal 7 documentation).
$stored_hash = substr($hash, 1);
$password = md5($password);
}
else {
$stored_hash = $hash;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$computed_hash = $this->crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$computed_hash = $this->crypt('md5', $password, $stored_hash);
break;
default:
if (isset($this->corePassword)) {
return $this->corePassword
->check($password, $stored_hash);
}
return FALSE;
}
// Compare using hash_equals() instead of === to mitigate timing attacks.
return $computed_hash && hash_equals($stored_hash, $computed_hash);
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.