PHP Password_Verify() Hash and Pass Won't Match

password_verify hash not matching password

  • the hash generated is different every time
  • pass plain text to the password_verify() function... see below

$originalPassword = password_hash("THE_PASSWORD", PASSWORD_DEFAULT);
// This will produce something like (taken form above) 
$2y$10$tolDQdeTQrTio8IJ0Wi9AuHN5Km28pSB5kUh5qfkdkOsDXP295H1K
// When verifying this
if(password_verify("THE_PASSWORD", $passwordFromDatabase['password'])){
echo "Success";
}else{
echo "Fail";
}

password_verify not matching after writing to database

I simulated your code without database and form fetching, and it runs ok. It means there's something wrong either with your database or with your POST fields.

// New user - add them to database
echo "Creating your account. <br>";
$pwd = '12345';
//$password = password_hash(trim($_POST['password']), PASSWORD_DEFAULT);    
$password = password_hash($pwd, PASSWORD_BCRYPT);   
echo $password . '<br>';

$dbpwd = $password;

echo $dbpwd . '<br>';
if(password_verify(trim($pwd), $dbpwd))
{
    echo 'Match<br>';
}
else
{
    echo 'Match failed<br> ';
}

Output:

Creating your account.
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
$2y$10$iw6fSApO7Ok0ySZ.OsQqbe.DpVrvzJ86ZYIsWYg5060hyXbBYEiee
Match

Use var_dump on your hashed $password var before the INSERT, then again with your $dbpwd after the SELECT and see if you get anything wrong. Also, check your PHP project scripts and your database schema for conflicting charset definitions.

Verify_password() : password not matching hash

Your password_hash variable is set in the wrong place. It is using $arr before it has been initialized.

<?php
//connessione bd
include 'conn.php';
include 'forminsertuser.php';

//recupero

if(!empty ($_POST["Submit1"])) 

{ 

$arr['nom'] = htmlspecialchars($_POST ['nom']);
$arr['password']= htmlspecialchars( $_POST ['password']);
$arr['rankid']=  $_POST ['rankid'];

// shifted here
$password_hash= password_hash($arr['password'], PASSWORD_DEFAULT);

$sql = 'INSERT INTO users ( nom, password, rankid) VALUES( :nom, :password, :rankid)';

$statement = $conn->prepare($sql);

$statement->execute([
':nom' => $arr['nom'],
    ':password' => $password_hash,
    ':rankid' => $arr['rankid'],
]);

 header("Location: process.php");
exit;
};
?>

php password_verify doesn't work

Your issue is that you are adding a newline at the end of the hashed string. 

$password_hashed = password_hash($password, PASSWORD_BCRYPT, $options)."\n";
//                                                                       ^
//                                          Here you add a newline ------'

That means that you hash the password, and add a newline at the end of the hashed string. When you now compare against the unhashed string through password_verify(), it won't match - simply because of that newline. To solve the issue, you need to remove ."\n" from where you hash the password, making it...

$password_hashed = password_hash($password, PASSWORD_BCRYPT, $options);

The newline probably comes from the PHP manual, where they show examples of hashing the passwords. Unfortunately, it's quite misleading - and should in my opinion be removed from the examples.

As a final note, from the manual.

Warning
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.

  • password_hash() documentation

password_verify doesn't verify hash

The function password_verify(); takes two parameters; a non-hashed input, and a stored hash to compare it to. It hashes the non-hashed input automatically to compared it to the stored version. So your initial code was re-hashing an already hashed password. Should look like this:

$verify=password_verify($_POST['passwrd'],$row[2]);

if($verify){
    $_SESSION["usrname"]=$usrname;
    echo "Correct";
}
else {
    echo "user: " . $usrname. "<br>";
    echo "pass: " . $hash. "<br>";
    echo "db: " . $row[2]."<br>";
    echo "Wrong Username or Password";
}

hash variable not work in password_verify () php

There seems to be two issues here. From your comment we found that...

  1. You're using mysqli_real_escape_string() on the password before hashing it. You should never modify passwords before inserting them, keep it clean. This function could possibly change passwords, if they contain for example single-quotes.
  2. You have \n concated to the hash before inserting it, while comparing, it does not have that. This needs to be removed when hashing the password when this data is being inserted.

These needs to be corrected (the real_escape() shouldn't be on passwords, and the newline removed), and the password inserted again after these corrections has been made.

In additon to this, 

if(isset($_POST['submit'])=="Log In") {

isn't what you think it is. It will technically work, as it will compare a boolean to true (so you get true == true if its set, false == true otherwise). It should simply be 

if (isset($_POST['submit'])) {

See Cleansing User Passwords


Related Topics

PHP Session for Tracking Unique Page Views

What Causes an Http 405 "Invalid Method (Http Verb)" Error When Posting a Form to PHP on Iis

PHP Object Attribute with Dot in Name

PHP - Parsing a Txt File

Programmatically Creating New Order in Woocommerce

Php/Symfony/Doctrine Memory Leak

How to Export HTML Table to Excel or PDF in PHP

Is Multiple Inheritance Allowed at Class Level in PHP

PHP Get Request, Sending Headers

PHP Range() from a to Zz

SQL Like Statement Problems

Overriding Upload_Max_Filesize

Using Value of a Column as Index in Results Using Pdo

Detect Mobile Browser

Get Div Content from External Website

How to Cast Array Elements to Strings in PHP

Generating a Screenshot of a Website Using Jquery

Getting All Values from H1 Tags Using PHP


Leave a reply



Submit