Problem with password_verify when create users with CodeIgniter

Question

My problem is that I'm using CodeIgniter. I created an Administrator Panel which I use to create users and passwords. I use password_hash before sending them to database (in fact, in the database I can see the hashed password).

The problem is... When I try to log in, it doesn't. I can only access with administrator account, which I created before I started using CodeIgniter.

I can log in with admin account, but not with the accounts created with the admin panel.

I tried to use a very simple php file (outside CI) to copy and paste the hash to one of the user's fields in my database and it worked. I don't understand why this doesn't work within CodeIgniter. Here's the part of my code:

public function insert_user($username, $passw, $perm){

  $hashed_pass = password_hash($passw, PASSWORD_DEFAULT);

  $data = array(
    "username" => $username,
    "passw" => $hashed_pass,
    "perms" => $perm
  );
  
  $this->db->insert('usuarios', $datos);

}

The function above inserts correctly data in the database. I can see the password hashed, but when I try to log in with created users from admin panel, it just doesn't work (but it does with admin account, and they all are using the same function to log in).

public function login($username, $password){

  $query = $this->db->query("select passw, perms from users where username = '".$username."'");

  $result = $query->row();
  $p_hashed = $result->passw;
  $perms= $result->perms;


  if(password_verify($password, $p_hashed)){
    $info= array(
      "is_valid" => true,
      "username" => $username,
      "perms" => $perms
    );
    return $info;
  }
  else {
    $info= array(
      "is_valid" => false,
      "username" => ""
    );
    return $info;
  }
}

I checked database and CI charset, all is utf8. I don't understand why is not working... I would appreciate any help.

P.S.: if the name of variables are no correlated or are not the same is because I translated it to English (I'm not native English speaker, so I'm not using English in this project).

Thank you.

EDIT

I've changed the code to use md5 instead of password_hash and I'm having the same issue.

EDIT 2

I detected the problem: I was comparing the 2 password (the first one and the confirm password). After that comparison, I passed the data to the model... But the variable of the password I was sending to model was a new variable with no data. I was hashing a not initialized variable.

Answer 1

There doesn't seem to be any problem in the code you show. As I commented, the likely problem is that the passw column in the table is truncating the data being inserted.

Check the documentation for password_hash to find what the return data size is for the various algorithms and adjust your table structure accordingly. For PASSWORD_DEFAULT the suggested size is 255 characters.

The code below isn't an answer, but I have time and thought you might find a refactored version of login() interesting.

It is assumed that you have properly validated and sanitized the values being passed to the login() method.

public function login($username, $password)
{
    //use query binding so values are automatically escaped, producing a safer query
    $query = $this->db->query("select username, perms, passw 
                               from users where username = ?", [$username]);
    // make sure query worked and found a record
    if($query && $query->num_rows() > 0)
    {
        // get an row array so you don't need to make an array
        $row = $query->row_array();
        if(password_verify($password, $row['passw']))
        {
            unset($row['passw']); // remove passw from array
            $row['is_valid'] = true;
            return $row;
        }
    }

    return array( "is_valid" => false,  "username" => "");
}