medk
Reputation: 9529
PHP password_hash() and password_verify() don't match
I'm trying to make a user login system where the password is hashed, I'm using this:
function mk_password_hash($password) {
$options = [
'cost' => 12,
];
$hashed_password = password_hash($password, PASSWORD_BCRYPT, $options);
return $hashed_password;
}
Then I store the hashed password in the users table.
When the user tries to login, the script selects the hashed password from the db, then compares it to the password typed by the user:
$query = 'SELECT id, status, pass FROM users WHERE email = ? LIMIT 1';
$stmt = $mysqli->prepare($query);
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$num_rows = $stmt->num_rows;
if ($num_rows < 1) {
echo '[error-login-wrong]';
} else {
$stmt->bind_result($uid, $user_status, $user_pass);
$stmt->fetch();
if ($user_status == 1) {
if (password_verify($pass, $user_pass)) {
$_SESSION['my-uid'] = $uid;
$_SESSION['logged'] = TRUE;
echo '[success]';
} else {
echo '[error-login-wrong]';
}
} else {
echo '[error-login-disabled]';
}
}
Here $pass is the input from the user, and $user_pass is the hashed password from the db.
Now this always returns false, [error-login-wrong] meaning the password and the hashed password don't match.
NB: there is no time between creating the hashed password and trying to login, so no algorithm change or whatever.
Any explanation?
Upvotes: 0
Views: 25
Answers (0)
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- Secure hash and salt for PHP passwords
- How does PHP 'foreach' actually work?
- Why shouldn't I use mysql_* functions in PHP?