Reputation: 15
password_verify not returning true
I'm new to this, and still learning, and as per suggestion I was replacing my md5 encrypted passwords with bcrypt, but the password_verify isnt returning true for some reason.
From the controller:
$old_pass = $this->input->post('old_password');
In the Model:
function edit_member($user_info, $old_pass)
{
$id_user = $this->session->userdata('id_user');
$user_pass = $this->db->query("SELECT password FROM membros WHERE id_user='" . $id_user . "'")->result();
if (password_verify($old_pass, $user_pass[0]->password)) {
$this->db->where('id_user', $id_user);
$this->db->update('membros', $user_info);
redirect('/cpanel');
} else {
//redirect('/edit_account/edit');
print_r("A password não coincide");
echo anchor('/cpanel', 'Voltar');
}
/*print_r($user_pass[0]->password);
print_r($old_pass);*/
}
Could anyone please tell me how to fix it?
Cheers, Baya
EDIT:
First thing I did was updating the password on the db with the new encryption, by editing the user through the edit_member function (just so I can show how the password was updated on the db):
function edit_member() {
$password = $this->input->post('password');
$user_info = array(
'first_name' => $this->input->post('first_name'),
'last_name' => $this->input->post('last_name'),
'email' => $this->input->post('email'),
'username' => $this->input->post('username'),
'password' => password_hash($password, PASSWORD_BCRYPT)."\n"
);
$old_pass = $this->input->post('old_password');
$this->load->model('membership_model');
$this->membership_model->edit_member($user_info, $old_pass);
}
Upvotes: 0
Views: 294
Answers (2)
Reputation: 15
Apparently it was because the password had been changed into the db with
password_hash($password, PASSWORD_BCRYPT)."\n"
(which I kinda copied from other people posts)
as soon as I deleted the ."\n" bit it started working (I have no idea what this does, like I said, I kinda copied it from other people -.- )
Thanks for everyone who took a look at the issue, and sorry for wasting your time -.-
Cheers, Baya
Upvotes: 0
Reputation: 912
If password_verify isn't returning true, it's because:
- You have not re-hashed the old passwords into bcrypt; OR
- Your passwords are stored incorrectly; OR
- You're entering the wrong password
My guess is #1, in which case you need to update your login logic to do the following:
- MD5 the input password, check if this matches the hash in the database. If so, update the hash in the database using password_hash.
- Run password_verify on the user password, against the hash in the database.
A lot of my legacy systems work somewhat like this, updating user passwords as they go along (after 6 months or so, I tend to send them a reminder to change their password and disable the old MD5 password).
Upvotes: 1
Related Questions
- Returning JSON from a PHP Script
- Why is php password_verify and password_hash using different encryption identifiers?
- Is PHP's password_verify() safe against extremely long passwords (DoS attack)?
- password_verify keeps bringing back false
- Does user input need to be hashed before being used in password_verify?
- Are PHP's password_hash and password_verify functions enough?
- password_verify php not match