PHP password_hash and password_verify weird issue not verifying [closed]

Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.

This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.

Closed last year.

Improve this question

Here is my scenario:

I have a function that gives out json response when called for. Its inside a class that has the Signup.class.php included which has the Signup class. Where the GET param pass is being accessed inside the gen_hash() function as shown above. The code is below.

The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo

        private function gen_hash(){
            if(isset($this->_request['pass'])){
                $s = new Signup("", $this->_request['pass'], "");
                $hash = $s->hashPassword();
                $data = [
                    "hash" => $hash,
                    "info" => password_get_info($hash),
                    "val" => $this->_request['pass'],
                    "verify" => password_verify($this->_request['pass'], $hash),
                    "spot_verify" => password_verify($this->_request['pass'], password_hash($this->_request['pass'], PASSWORD_BCRYPT))
                ];
                $data = $this->json($data);
                $this->response($data,200);
            }
        }

JavaScript
​x
 
        private function gen_hash(){            if(isset($this->_request['pass'])){                $s = new Signup("", $this->_request['pass'], "");                $hash = $s->hashPassword();                $data = [                    "hash" => $hash,                    "info" => password_get_info($hash),                    "val" => $this->_request['pass'],                    "verify" => password_verify($this->_request['pass'], $hash),                    "spot_verify" => password_verify($this->_request['pass'], password_hash($this->_request['pass'], PASSWORD_BCRYPT))                ];                $data = $this->json($data);                $this->response($data,200);            }        }​

This function calls Signup.class.php which has the following code:

<?php

require_once('Database.class.php');

class Signup {

    private $username;
    private $password;
    private $email;

    private $db;

    public function __construct($username, $password, $email){
        $this->db = Database::getConnection();
        $this->username = $username;
        $this->password = $password;
        $this->email = $email;
    }

    public function getInsertID(){

    }

    public function hashPassword(){
        //echo $this->password;
        return password_hash($this->$password, PASSWORD_BCRYPT);
    }

}

JavaScript
 
<?php​require_once('Database.class.php');​class Signup {​    private $username;    private $password;    private $email;​    private $db;​    public function __construct($username, $password, $email){        $this->db = Database::getConnection();        $this->username = $username;        $this->password = $password;        $this->email = $email;    }​    public function getInsertID(){​    }​    public function hashPassword(){        //echo $this->password;        return password_hash($this->$password, PASSWORD_BCRYPT);    }​}​

The issue is as follows:

The “spot_verify” array key from gen_hash() has a code that works as intended.
But the “verify” array key from gen_hash() has a code that is not working as intended. It is always telling false whatsoever the case is. The hash is being generated from the Signup::hashPassword() function. It is all working as expected. The value is setting right, and is being passed to the password_hash function from within the Signup::hashPassword(). But inside gen_hash() under “verify”, it just tells false.

The code is live at https://api1.selfmade.ninja/api/gen_hash?pass=hellooo

It is giving the following answer and it makes no sense. Why is verify false?:

{
    "hash": "$2y$10$Y3bq8EzFmEpgM6zZqONeeeP3gaUkSClyjmS3NCWxrpFS6R8okRHJG",
    "info": {
        "algo": "2y",
        "algoName": "bcrypt",
        "options": {
            "cost": 10
        }
    },
    "val": "hellooo",
    "verify": false,
    "spot_verify": true
}

JavaScript
 
{    "hash": "$2y$10$Y3bq8EzFmEpgM6zZqONeeeP3gaUkSClyjmS3NCWxrpFS6R8okRHJG",    "info": {        "algo": "2y",        "algoName": "bcrypt",        "options": {            "cost": 10        }    },    "val": "hellooo",    "verify": false,    "spot_verify": true}​

What I did already? I ensured that the same password value is being passed to password_hash and password_verify. But this makes no sense. What am I missing?

Answer

You’ve got an extra dollar sign here:

return password_hash($this->$password, PASSWORD_BCRYPT);

JavaScript
 
return password_hash($this->$password, PASSWORD_BCRYPT);​

You’ve accidentally made a variable variable. Do this instead:

return password_hash($this->password, PASSWORD_BCRYPT);

JavaScript
 
return password_hash($this->password, PASSWORD_BCRYPT);​

Note your code should be generating a PHP warning that points directly to the issue. So… don’t disable those.

Advertisement

Answer