PHP password_verify PDO returns false every time

Question

I have this PHP code. The variable $password has the right password static assigned (no user input to validate).

$data['password'] returns the right hash too, when printing it out with echo.

But somehow the password_verify function doesnt work in this function. When I'm using it manually with the same inputs it workes fine.

Maybe there is something wrong with the PDO query, but I have no idea what.

    $this->mysql->query("SELECT * FROM user WHERE username = :username LIMIT 1");
    $this->mysql->bind(':username', $username);
    $data = $this->mysql->single(); 

    if($this->mysql->rowCount() == 1)
    {
        echo $data['password'];
        if(password_verify($password, $data['password']))
        {

            echo "yees!";

        }else{
            $this->user_error = true;
        }       
    }else{
        $this->user_error = true;           
    }

What datatype/size if your password column in your database? — Mark Baker, Nov 29 '14 at 19:21
Show us what values you have. We cannot verify what "the right" data is. How have *you* verified that the data is "right"? — deceze, Nov 29 '14 at 19:24
@deceze It tried it with the same values manually and directly without PDO the input is "123456" and the hash is "$2y$10$HRnsvpIpuIxnSAXXezm/D.prUD6COgz/C0TUzDUF0d.UIcXZw/MdS" — Tewdyn, Nov 29 '14 at 20:03
So $data['password'] can't be the hash, or $password can't be '123456'. What do you see if you do `var_dump($password)` and `var_dump($data['password'])` rather than just echoing them? I'm suspecting you've got something like a space or newline characters on the end of one or the other of them. — Matt Gibson, Nov 29 '14 at 22:18
@user3747630 - And the length of the field? Is it long enough to hold the full value of the hash? — Mark Baker, Nov 29 '14 at 22:27
@MarkBaker MySQL's TEXT type is 64K long. So in fact, the field is preposterously long for a password hash; the [recommended storage for a password_hash value is 255 characters](http://stackoverflow.com/a/21479715/300836). — Matt Gibson, Nov 29 '14 at 22:36
@MarkBarker I allrady changed it to varchar 255. I'll post the output of vat_dump tomorrow I'm on my mobile phone now. — Tewdyn, Nov 29 '14 at 22:39
@Mark Here is the output from var_dump: `array(5) { ["id"]=> string(32) "7" ["firstname"]=> string(32) "Max" ["lastname"]=> string(32) "Mustermann" ["username"]=> string(32) "MaMustermann" ["password"]=> string(64) "$2y$10$HRnsvpIpuIxnSAXXezm/D.prUD6COgz/C0TUzDUF0d.UIcXZw/MdS" }´ ´string(64) "$2y$10$HRnsvpIpuIxnSAXXezm/D.prUD6COgz/C0TUzDUF0d.UIcXZw/MdS"` I really have no idea why it isn't working as it should — Tewdyn, Nov 30 '14 at 10:21
So the `$password`, which you're trying to verify, is already hashed...?! — deceze, Nov 30 '14 at 10:55
No, `$password` is the user input. `$data['password']` is hashed — Tewdyn, Nov 30 '14 at 11:02

score 0 · Accepted Answer · answered Nov 30 '14 at 11:46

0

So I figured it out. There where some whitespaces in the array, but I haven't got any idea where they came from. So I jused the trim() function to remove these whitespaces and now everything works properly.

Thanks for quick help!

answered Nov 30 '14 at 11:46

Tewdyn

687
3
16

PHP password_verify PDO returns false every time

1 Answers1