PHP: Password Hashing

Question

I've started using the password_hash() for password hashing. The problem I'm having is that when I use the password_verify() to check if input value matches the hashed passwords stored in the database, every time it returns me false.

  $password = "test";

  $query = "SELECT password FROM user WHERE password = :pass ";
  $statement = $connection->prepare($query);
  $statement->bindParam(":pass", $password);
  $statement->execute(); 

   if(password_verify($password, $row['password'])){
    echo "Password Valid";
   }

   else {
    echo "Invalid Password";
   }

However, if for e.g I copy a single hashed password value from the database and put it in the place of $row['password'] and when I test the code, it returns me true.

   if(password_verify($password, '$2y$10$kc09i9YSP.ExmUquMqRnf......')){
    echo "Password Valid";
   }

Help please.

Answer 1

Replace:

$statement->bindParam(":pass", $password);

With:

$statement->bindParam(":pass", password_hash($password, PASSWORD_DEFAULT));

Please use the answer from Joel Hinz

Answer 2

The first problem is that you're trying to use SQL to look for a hashed password. The standard procedure is to find the user with a given username, and fetch that user's password so you can validate.

Your other problem is that call $row['password'] but you haven't actually set it yet in your code. Fetch the row first, and then you can validate the password.

Something like this should work:

$username = "test";

$query = "SELECT password FROM user WHERE username = :username ";
$statement = $connection->prepare($query);
$statement->bindParam(":username", $username);
$statement->execute();
$row = $statement->fetch();

if(password_verify($password, $row['password'])){
    echo "Password Valid";
}
else {
    echo "Invalid Password";
}