No, you can not check if the two hashes belong to the same password, unless you already know the password. If you could, this basically fails the purpose of using the password_hash
function.
If you know the password, you can simply, use the method: password_verify
to verify your passwords:
$res1 = "$2y$10$ZSlQNIbsLWfj7JLCSkvFLeS/adH.KnGZTgA1BcvyPXl7BEn7GhREO";
$res2 = "$2y$10$M6CnjqaxuUKNhg84T8NpLeylkUrvP1pzoZNhBWfpSzP2zJneuS1re";
var_dump(password_verify("test", $res1)); // returns true
var_dump(password_verify("test", $res2)); // returns true
So, as you can see, both the hashes will give you true
with password_verify()
method, and therefore, you do not need to check if the two hashes belong to the same password or not. And, if you do, the above logic can be used to construct a function like this:
function belongs_to_password() {
$args = func_get_args();
$str = array_shift($args);
foreach ($args as $hash) {
if (!password_verify($str, $hash)) return false;
}
return true;
}
The above function can be used to check whether the hashes passed to this function are all for the same password or not. And, can be used like this:
$res1 = "$2y$10$ZSlQNIbsLWfj7JLCSkvFLeS/adH.KnGZTgA1BcvyPXl7BEn7GhREO";
$res2 = "$2y$10$M6CnjqaxuUKNhg84T8NpLeylkUrvP1pzoZNhBWfpSzP2zJneuS1re";
var_dump(belong_to_password("test", $res1, $res2)); // returns true