Skip to content
Advertisement

PHP password_hash and password_verify weird issue not verifying [closed]

Here is my scenario:

I have a function that gives out json response when called for. Its inside a class that has the Signup.class.php included which has the Signup class. Where the GET param pass is being accessed inside the gen_hash() function as shown above. The code is below.

The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo

        private function gen_hash(){
            if(isset($this->_request['pass'])){
                $s = new Signup("", $this->_request['pass'], "");
                $hash = $s->hashPassword();
                $data = [
                    "hash" => $hash,
                    "info" => password_get_info($hash),
                    "val" => $this->_request['pass'],
                    "verify" => password_verify($this->_request['pass'], $hash),
                    "spot_verify" => password_verify($this->_request['pass'], password_hash($this->_request['pass'], PASSWORD_BCRYPT))
                ];
                $data = $this->json($data);
                $this->response($data,200);
            }
        }

This function calls Signup.class.php which has the following code:

<?php

require_once('Database.class.php');

class Signup {

    private $username;
    private $password;
    private $email;

    private $db;

    public function __construct($username, $password, $email){
        $this->db = Database::getConnection();
        $this->username = $username;
        $this->password = $password;
        $this->email = $email;
    }

    public function getInsertID(){

    }

    public function hashPassword(){
        //echo $this->password;
        return password_hash($this->$password, PASSWORD_BCRYPT);
    }

}

The issue is as follows:

  1. The “spot_verify” array key from gen_hash() has a code that works as intended.
  2. But the “verify” array key from gen_hash() has a code that is not working as intended. It is always telling false whatsoever the case is. The hash is being generated from the Signup::hashPassword() function. It is all working as expected. The value is setting right, and is being passed to the password_hash function from within the Signup::hashPassword(). But inside gen_hash() under “verify”, it just tells false.

The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo

It is giving the following answer and it makes no sense. Why is verify false?:

{
    "hash": "$2y$10$Y3bq8EzFmEpgM6zZqONeeeP3gaUkSClyjmS3NCWxrpFS6R8okRHJG",
    "info": {
        "algo": "2y",
        "algoName": "bcrypt",
        "options": {
            "cost": 10
        }
    },
    "val": "hellooo",
    "verify": false,
    "spot_verify": true
}

What I did already? I ensured that the same password value is being passed to password_hash and password_verify. But this makes no sense. What am I missing?

Advertisement

Answer

You’ve got an extra dollar sign here:

return password_hash($this->$password, PASSWORD_BCRYPT);

You’ve accidentally made a variable variable. Do this instead:

return password_hash($this->password, PASSWORD_BCRYPT);

Note your code should be generating a PHP warning that points directly to the issue. So… don’t disable those.

User contributions licensed under: CC BY-SA
6 People found this is helpful
Advertisement