I’m using PHP’s password hashing API to hash and verify my passwords on a site I’m building, however whenever I try and verify my password it always returns false.
I have a User class which sets the password before they are inserted into the database:
public function set__password($passwd) { self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12)); }
If the username and email is unique the new user row is inserted – upon checking my database I have what seems to be a valid BCRYPT string for my password:
$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI
To verify my password, I run the following script:
$username = $_POST['username']; $password = $_POST['password']; $DB = Database::getInstance(); // Get the stored password hash $res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"'); $hash = $res[0]['password']; // Do the passwords match? if(password_verify($password, $hash)) { echo 'success'; } else { echo 'failed'; }
$hash
pertains to the string quoted above, however when I then call password_verify($password, $hash)
where $password
is the plain-text password retrieved from my input field, I always receive a value of false.
Advertisement
Answer
The given hash string example has 50 characters instead of 60. Double-Check the database – CHAR(60) – and var_dump($hash).