CODEWITHSUNDEEP
phpmysqliphp-password-hash
Steven Tomko
Steven Tomko

Reputation: 98

password_verify does not work when using hashed password from database

SOLVED

I had a strange problem with my registration form. JS were doing something strange and even though password_verify worked on login, the hash was different in some case... Now I fixed my code and it's working now! Thank you all guys!

SOLVED

I'm seriously trying to figure out why does my password_verify code isn't working for 4 days already and I'm getting really confused and mad...

First of all I have to say that session is already started and everything other is working without problems.

But when I try to create a password_verify script, it echo still the false...

field in database is named password and is set to varchar 255.

Password from database looks like this :

$2y$10$GEw0Ie6r/Udz2hgJVkCy.ut99NY5NE.h8LEvNM1gBizA1tY58iNa6

That's good, that's what it should look like...

And when I echo the database password on my page, it shows the same, so it's good. But when I do password_verify, it's not working. It shows that password_verify is false... and I don't know why, because I'm 100% sure that the password I'm inputting in form is correct and matches with the db password. However, it does not work and it does not echo "DONE" as it should.

echo strlen shows 60

echo $dbpassword shows the hashed database password.

echo $passwordsubmitted shows the normal inputted password from form.

<?php 
if(isset($_POST['changepassword'])){
    if($_POST['username'] !== $_SESSION['username']){
        echo "Invalid username";
    }
    else{
        $stmtselectvalues = $mysqli->prepare("SELECT password FROM members WHERE username = ?");
        $stmtselectvalues->bind_param('s',$_SESSION['username']);
        $stmtselectvalues->execute();
        $stmtselectvalues->bind_result($dbpassword);
        $stmtselectvalues->store_result();
        while($stmtselectvalues->fetch()){
        $passwordsubmitted = $_POST['password'];
        echo strlen($dbpassword)."<p>";

        echo "Submitted password: ".$passwordsubmitted." and password from database: ".$dbpassword."<p>";
        if(password_verify($passwordsubmitted, $dbpassword) == false){
            echo "Invalid Password";
        }
        else{
            echo "DONE!";
            }
        }
    }
}
?>
<center>
    <form method='POST'>
        Username: <input type='text' name='username'><br>
        Password: <input type='text' name='password'><br>
        <input type='submit' name='changepassword'><br>
    </form>

But, when I use this code, it's working and echo is "DONE" so that means that password_verify is true...

<?php
if(isset($_POST['changepassword'])){
    if($_POST['username'] !== $_SESSION['username']){
        echo "Invalid username";
    }
    else{
        $dbpassword = password_hash("test", PASSWORD_BCRYPT);
        $passwordsubmitted = $_POST['password'];
        echo strlen($dbpassword)."<p>";

        echo "Submitted password: ".$passwordsubmitted." and password from database: ".$dbpassword."<p>";
        if(password_verify($passwordsubmitted, $dbpassword) == false){
            echo "Invalid Password";
        }
        else{
            echo "DONE!";
        }
    }
}
?>
<center>
    <form method='POST'>
        Username: <input type='text' name='username'><br>
        Password: <input type='text' name='password'><br>
        <input type='submit' name='changepassword'><br>
    </form>

I really don't know why is this happening. Any suggestions?

UPDATE Registration input is <input type='password' name='password'>

and submitted password from registration is hashed with this code :

$password = $_POST['password'];
$passwordhash = password_hash($password, PASSWORD_BCRYPT);

Upvotes: 1

Views: 1185

Answers (1)

liviu
liviu

Reputation: 1

The issue seems to be with the hashing. I've called bcrypt() with the same string parameter seven times and it returned seven different hash values, only the first seven chars are always the same $2y$10$:

$2y$10$C7FReGma/9fauYdufdNR3uleGKBgcl4vzL/tMjsksKOmNoPpcoaT2
$2y$10$f7ZjFAgyq5tNcG7dc8RsIuOPTPLFyJFK0RiWfPusE7gqs4.hpRH.u
$2y$10$PnQrq.C3NOdxyNwpWZowzOe77Dsc0Qdr5yzrMzHAV3rH7aqVZYslG
$2y$10$6LL9imr9qB3mnJaoDFsurOAqas4Co/6bN.6mgheHzSboLDtT.Q5hS
$2y$10$Rytiq/6HILN3Bm6cLT7ZM.rO.LjxuLY2xM2FZs3Pa9O2BXbH5H3vO
$2y$10$gg21TJ6GiJg6Wz7RVQkyfufHzlAzfTkKfOdOgsRKotKpsgAoFQErK
$2y$10$v8YdEIA25mBIi4jsrCDABuFzmITv.BuMr9YQl2RUN2xc1rmk0Po9a

The same issue with MD5(). So, when password_verify() compares the two hashes it returns false.

Upvotes: -2

Related Questions