Password_verify not working properly?

Question

0.00/5 (No votes)

See more:

This block of code returns "success":

$sql = "SELECT * FROM users WHERE username='$username'";
                $query = $this->db->query($sql);
                $count = $query->num_rows();

                if ($count == 1)
                {
                    $row = $query->row();
                    $hash = $row->password;
                    $hash = '$2y$10$zF/7n3QOAq9ADh2S4kBZBuz94QNzCA0GyRfd1WT7JqNhDVpcXQgEq';
                    $pass = 'hello';
                    if (password_verify($pass, $hash)) {
                        return "success";
                    }

                    else
                    {
                        $data = "Hash: " .$hash." Password:".$pass;
                        return $data;
                    }
                }

                else
                {
                    return "zero rows";
                }

But when I change it to this (I comment out the second $hash):

$sql = "SELECT * FROM users WHERE username='$username'";
                $query = $this->db->query($sql);
                $count = $query->num_rows();

                if ($count == 1)
                {
                    $row = $query->row();
                    $hash = $row->password;
                    //$hash = '$2y$10$zF/7n3QOAq9ADh2S4kBZBuz94QNzCA0GyRfd1WT7JqNhDVpcXQgEq';
                    $pass = 'hello';
                    if (password_verify($pass, $hash)) {
                        return "success";
                    }

                    else
                    {
                        $data = "Hash: " .$hash." Password:".$pass;
                        return $data;
                    }
                }

                else
                {
                    return "zero rows";
                }

It returns the following message:

Hash: $2y$10$zF/7n3QOAq9ADh2S4kBZBuz94QNzCA0GyRfd1WT7JqNhDVpcXQgEq Password:hello

What could be wrong?

What I have tried:

Tried looking in stackoverflow, couldn't find answers

Posted 7-Dec-16 15:08pm

kmllev

Updated 7-Dec-16 17:42pm

v3

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Answer 1 · 2016-12-07T17:42:00

Solution 1

That is what it is. You first place to visit should be PHP: password_verify - Manual[^] not stackoverflow.
The

password_verify($pass, $hash)

will hash your the $pass value and compare to the $hash value, returns true if match else false.

Posted 7-Dec-16 17:42pm

Peter Leow

Comments

kmllev 8-Dec-16 0:11am

The problem is isn't the method comparing exactly the same values? Basically I copied the value from the database and pasted it in the variable for debugging in the 1st block. In the 1st block I simply did an override of the values, to check if it's working correctly. The 2nd block of code fetches the corresponding hash from the database and returns the same hash/value as in the 1st block. What confuses me is why it returns false when the values aren't changed, as seen in the message the 2nd block returns.
Could it be I'm missing out on something since I'm fetching the value from the database? Some parsing needed?

Peter Leow 8-Dec-16 1:28am

Apparently, your hash value from your database and that from the password_verify() is not the same. In fact, if you look at the documentation, it is using password_hash() to do the hashing in PHP. Read http://php.net/manual/en/function.password-hash.php
Pass your 'hello' password to this function and see what it returns.

kmllev 8-Dec-16 1:36am

I see. Even though I typed the correct password when trying to "log in", which is "hello", the hash returned is different after checking the $pass in password_hash(), so a successful login perhaps would never be possible. How can I fix it? Or should it be in a new post? All I do is get the input from the user and then fetch from the database the corresponding (hashed) password for that username and then use password_verify to see if they match. More like the question though is: why is hello being hashed when verified as a variable but not when it's explicitly typed?

Peter Leow 8-Dec-16 1:46am

There exist different hashing algorithms, for the hash of a string to match, they must be hashed with the same algorithms, you will have to find out what hash algorithm is used to hash those passwords that are stored in the database. Not forgetting, they might also be salted on top of hashing. Read more: https://crackstation.net/hashing-security.htm