PHP Password verify always returns false

I’m using PHP’s password hashing API to hash and verify my passwords on a site I’m building, however whenever I try and verify my password it always returns false.

I have a User class which sets the password before they are inserted into the database:

public function set__password($passwd) {
    self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12));
}

JavaScript
​x
 
public function set__password($passwd) {    self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12));}​

If the username and email is unique the new user row is inserted – upon checking my database I have what seems to be a valid BCRYPT string for my password:

$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI

JavaScript
 
$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI​

To verify my password, I run the following script:

$username = $_POST['username'];
$password = $_POST['password'];

$DB = Database::getInstance();

// Get the stored password hash
$res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"');
$hash = $res[0]['password'];


// Do the passwords match?
if(password_verify($password, $hash)) {
    echo 'success';
} else {
    echo 'failed';
}

JavaScript
 
$username = $_POST['username'];$password = $_POST['password'];​$DB = Database::getInstance();​// Get the stored password hash$res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"');$hash = $res[0]['password'];​​// Do the passwords match?if(password_verify($password, $hash)) {    echo 'success';} else {    echo 'failed';}​

$hash pertains to the string quoted above, however when I then call password_verify($password, $hash) where $password is the plain-text password retrieved from my input field, I always receive a value of false.

Answer

The given hash string example has 50 characters instead of 60. Double-Check the database – CHAR(60) – and var_dump($hash).

Advertisement

Answer