Here is my scenario:
I have a function that gives out json response when called for. Its inside a class that has the Signup.class.php included which has the Signup
class. Where the GET param pass
is being accessed inside the gen_hash()
function as shown above. The code is below.
The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo
private function gen_hash(){ if(isset($this->_request['pass'])){ $s = new Signup("", $this->_request['pass'], ""); $hash = $s->hashPassword(); $data = [ "hash" => $hash, "info" => password_get_info($hash), "val" => $this->_request['pass'], "verify" => password_verify($this->_request['pass'], $hash), "spot_verify" => password_verify($this->_request['pass'], password_hash($this->_request['pass'], PASSWORD_BCRYPT)) ]; $data = $this->json($data); $this->response($data,200); } }
This function calls Signup.class.php which has the following code:
<?php require_once('Database.class.php'); class Signup { private $username; private $password; private $email; private $db; public function __construct($username, $password, $email){ $this->db = Database::getConnection(); $this->username = $username; $this->password = $password; $this->email = $email; } public function getInsertID(){ } public function hashPassword(){ //echo $this->password; return password_hash($this->$password, PASSWORD_BCRYPT); } }
The issue is as follows:
- The “spot_verify” array key from
gen_hash()
has a code that works as intended. - But the “verify” array key from
gen_hash()
has a code that is not working as intended. It is always telling false whatsoever the case is. The hash is being generated from theSignup::hashPassword()
function. It is all working as expected. The value is setting right, and is being passed to thepassword_hash
function from within theSignup::hashPassword()
. But inside gen_hash() under “verify”, it just tells false.
The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo
It is giving the following answer and it makes no sense. Why is verify false?:
{ "hash": "$2y$10$Y3bq8EzFmEpgM6zZqONeeeP3gaUkSClyjmS3NCWxrpFS6R8okRHJG", "info": { "algo": "2y", "algoName": "bcrypt", "options": { "cost": 10 } }, "val": "hellooo", "verify": false, "spot_verify": true }
What I did already? I ensured that the same password value is being passed to password_hash and password_verify. But this makes no sense. What am I missing?
Advertisement
Answer
You’ve got an extra dollar sign here:
return password_hash($this->$password, PASSWORD_BCRYPT);
You’ve accidentally made a variable variable. Do this instead:
return password_hash($this->password, PASSWORD_BCRYPT);
Note your code should be generating a PHP warning that points directly to the issue. So… don’t disable those.