PHP password_hash and password_verify Not Working with MySQL

Question

I am using password_hash to store passwords in a MySQL database field of type VARCHAR(255). When I try to login the user and verify credentials, the password_verify function always returns false.

Here is the code excerpt that stores the password in the MySQL database:

$password_hash = password_hash($password, PASSWORD_DEFAULT);

// Generate API Key
$api_key = $this->generateApiKey();

// Insert Query
$stmt = $this->conn->prepare("INSERT INTO user(email, password, name, api_key, status) values(?, ?, ?, ?, 1)");
$stmt->bind_param("ssss", $email, $password_hash, $name, $api_key);
$result = $stmt->execute();
$stmt->close();

And the piece of code that checks the password:

// Query user by email
$stmt = $this->conn->prepare("SELECT password FROM user WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();

$stmt->bind_result($password_hash);
$stmt->store_result();

if ($stmt->num_rows > 0) {
    // Found user with that email address
    // Now verify the password

    $stmt->fetch();
    $stmt->close();

    if (password_verify($password, $password_hash)) {
        // User password is correct
        return TRUE;

Then I wrote this test code and grabbed the data straight from the MySQL field and it still fails. When I create the password_hash in the same file ($hash2 in the file below) - then the password verifies correctly.

$password = 'pass1234567890';
$hash = '$2y$10$JLP/pPei6RYRdUmoH8H5RO7iJyImOtrBLsrRRfq3XpeqNE3lQ/l7O';
$hash2 = password_hash($password, PASSWORD_DEFAULT);

echo $hash . " - " . strlen($hash);
echo "<br />";
echo $hash2 . " - " . strlen($hash2);
echo "<br />";

if (password_verify($password, $hash)) {
    echo "Password Valid!";
} else {
    echo "Password invalid!";
}

echo "<br /><br />";

if (password_verify($password, $hash2)) {
    echo "Password 2 Valid!";
} else {
    echo "Password 2 invalid!";
}

Answer 1

Check your password type, is it varchar or Text, change to text hashing produces long text. this works for me

Answer 2

password_verify($password,trim($password_hash)))

While I am unsure if it happened when the hash was stored or during retrieval, the password_hash had a space at the end. Trimming the hash before feeding it to password_verify fixed the issue for me.

Answer 3

In my case the probme was that I stored the database connection query in another file which included the same variable that I used for fetching current password, so what happened was that first I assigned a variable "password" to current password and then included my connection query file which had the same variable "password" therefore what happened was that, "password" variable of signup form was reassigned by "password" variable of connection query, and that's why it actually hashed another password. So by changing the variable name this problem was solved.

Here is my code for reference,

signup.php

    $email = $_POST["email"];
    $password = $_POST["password"];
    
    include 'partials/php/_dbconnect.php';
    $passwordHash = password_hash($passwd, PASSWORD_DEFAULT);

_dbconnect.php

<?php
$server = "localhost";
$username = "root";
$password = "";
$database = "demo";

$connectionquery = mysqli_connect($server, $username, $password, $database);
?>

which I changed to;

    $email = $_POST["email"];
    $passwd = $_POST["password"];
    
    include 'partials/php/_dbconnect.php';
    $passwordHash = password_hash($passwd, PASSWORD_DEFAULT);

Answer 4

Just make a variable for if(password_verify($pass_input, $pass_db)) where $pass_input is the value given from the textified form and $pass_db is the value stored in mysql (hashed)

Like this:

$verif_pass = (password_verify($pass_input, $pass_db));
if($verif_pass){echo "TRUE"} else {echo "FALSE";}

and just modify TRUE/FALSE as you want.

Answer 5

This proves that something is wrong with your hash

<?php
// See the password_hash() example to see where this came from.
$password = 'pass1234567890';
$hash = '$2y$10$JLP/pPei6RYRdUmoH8H5RO7iJyImOtrBLsrRRfq3XpeqNE3lQ/l7O';

$hash2 = '$2y$10$gMJKYZUc1FKSZBnsONxLOebOHj.uuEWSiCP0jo4Zv0iAHBz6iz.NG';

if (password_verify('pass1234567890', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

echo "<br>";

if (password_verify('pass1234567890', $hash2)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Screenshot