php password_hash and password_verify issues no match
The problem with your code is that you are using the double quotation marks "
instead of the single quotation marks '
when dealing with your hash.
When assigning:
$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";
It's making php think you have a variable called $2y
and another one called $10
and finally a third one called $fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e
. Which obviously isn't the case.
I noticed when turning on error reporting that the error:
Notice: Undefined variable: fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e
Was being thrown by PHP.
Replace all your double quote marks with single quote marks to fix.
E.g
$hash = '$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e';
Treats the whole hash as a literal string instead of a string with embedded variables.
php password_hash and password_verify looked all over still doesn't work
Store the hash
Have you checked that agent_password
is storing a hash generated by:
password_hash( $password, PASSWORD_DEFAULT );
Check PDO standards
Probably has no effect, but it is worth following standards for the differnt implementations of bindParam
. If you're using the ?
method, then:
$s->bind_param( 1, $username );
There are several odd implementations of PDO in your script, try adjusting:
$s->execute();
//$hash = $s->get_result();
//$hash = $hash->fetch_array( MYSQLI_ASSOC );
$hash = $s->fetchColumn();
Change subsequent calls of $hash['agent_password']
to just $hash
instead.
Test Basic Operation
Test the folowing:
// $password = $_POST["password"];
$password = "password";
Then, also try storing that hash, and retrieving it again, from mysql, prior to the final verify step.
Finally
I deeply suspect that what is stored in agent_password
is not in fact a password hashed with password_hash
.
password_verify not matching after writing to database
I simulated your code without database and form fetching, and it runs ok. It means there's something wrong either with your database or with your POST fields.
// New user - add them to database
echo "Creating your account. <br>";
$pwd = '12345';
//$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);
$password = password_hash($pwd, PASSWORD_BCRYPT);
echo $password . '<br>';
$dbpwd = $password;
echo $dbpwd . '<br>';
if(password_verify(trim($pwd), $dbpwd))
{
echo 'Match<br>';
}
else
{
echo 'Match failed<br> ';
}
Output:
Creating your account.
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
Match
Use var_dump
on your hashed $password
var before the INSERT, then again with your $dbpwd
after the SELECT and see if you get anything wrong. Also, check your PHP project scripts and your database schema for conflicting charset definitions.
PHP password_hash and password_verify weird issue not verifying
You've got an extra dollar sign here:
return password_hash($this->$password, PASSWORD_BCRYPT);
You've accidentally made a variable variable. Do this instead:
return password_hash($this->password, PASSWORD_BCRYPT);
Note your code should be generating a PHP warning that points directly to the issue. So... don't disable those.
Issue with password_hash and password_verify, always returning true in one case, false in another
I find out where my mistake were;
I had this database-connection.php file :
$host = 'localhost';
$dbname = 'japonwebsite';
$user = 'root';
$password = 'mysql';
try
{
$database = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8", $user,
$password);
}
catch (Exception $e)
{
die('Erreur : ' . $e->getMessage());
}
I include this file on all the pages where I need to connect to database, so I have it included on the page to add users to database and the one that verify log in.
Thing is, on both of those pages, I was doing $password = $_POST['password'];
to stock in a variable the password entered by the user on the sign in or sign up form.
After that, i was doing include('database-connection.php');
to connect to database. So $password
was always equal to mysql
, because I also have a variable $password
in database-connection.php
. So I was always adding the hash of "mysql" in the database, and always verifying that the hash in the database was equal to "mysql", so it was always true. I Just renamed the variable $password in database-connection to fix it !
PHP password_hash and password_verify incorrect false positive?
As MarkBaker already mentioned in his comment, this is a limitation of the BCrypt algorithm, which truncates passwords to 72 characters. For passwords this is more than enough and not a security problem, but in your case it seems you reach this limit because you want to add a pepper.
Never should a password be truncated because of adding a pepper. A pepper can increase security of weak passwords. Assuming that the pepper is of reasonable size, passwords which reach the limitation are very strong, and for those passwords a pepper is not necessary. So if you put the pepper at the end, you loose a part of the pepper, which is better than loosing a part of the password.
That said, there are much better ways to add a pepper. You get the same benefits from encrypting (twoway) the hash with a server side key. This key is actually similar to the pepper, but you have the advantage that you can exchange the key whenever this seems necessary (a pepper becomes part of the password and cannot be changed until the next login). I tried to explain this at the end of my tutorial about safely storing passwords. If encryption is not an option for you, then at least use a HMAC to combine the pepper with the password.
Related Topics
Install Intl PHP Extension Osx High Sierra
Phpmailer - How to Remove Recipients
How to Disable Mod_Security in .Htaccess File
But These Conflict with Your Requirements or Minimum-Stability
Rendering an Svg File to a Png or Jpeg in PHP
PHP Password_Verify Not Working with Database
Get Key of Multidimensional Array
Recreate Original PHP Array from Print_R Output
How to Strip Out the Domain Name from a Url in PHP
How to Merge Array and Preserve Keys
Symfony 2 Load Different Template Depending on User Agent Properties