3

I am testing the new php encryption algorithm (Argon2) and it gives me problems when I collect the data from the database. I am showing the code below, password_verify () always returns false.

setpass:

function setpass($pass, $cryp){
        global $conn;
        $qry="UPDATE users SET pass=:pass WHERE cryp LIKE :cryp";
        $result=$conn->prepare($qry);
        $password=password_hash($pass, PASSWORD_ARGON2I);
        $result->bindParam(':pass', $password);
        $result->bindParam(':cryp', $cryp);
        $result->execute();
        header("Location: http://localhost/intranet/login.php");
    }

login:

function login($nick, $pass){
        global $conn;
        $qry="SELECT id, pass FROM users WHERE nick LIKE :nick";
        $result=$conn->prepare($qry);
        $result->bindParam(':nick', $nick);
        $result->execute();

        $user=$result->fetch();

        if(password_verify($pass, $user['pass'])){
            setcookie("user_id", $user['id'], time()+432000);
            setcookie("user_nick", $user['nick'], time()+432000);
            header("Location: xxxx");
        }
        else{
            var_dump("ERROR");
        }
    }

The only thing that fails is the password_verify function. The hash is inserted well in the database and if I try to do the hash and password_verify on the same page with a test string if it works well. The coding is like utf-8 in the database and in my .php

halfer
  • 19,824
  • 17
  • 99
  • 186
Pablo Hermida Mourelle
  • 33
  • 5
  • 1
    Are you sure you're selecting the same row? `setpass` uses the `cryp` column, `login` uses `nick`. – Barmar Feb 03 '18 at 10:29
  • May we see some example code that we can run? A self-contained [mcve] that does not need a database would be ideal. – halfer Feb 03 '18 at 10:36
  • Sure `$result->fetch();` yields something? Also check that `$pass` is not empty – Rotimi Feb 03 '18 at 10:36
  • 1
    Please read [Under what circumstances may I add “urgent” or other similar phrases to my question, in order to obtain faster answers?](//meta.stackoverflow.com/q/326569) - the summary is that this is not an ideal way to address volunteers, and is probably counterproductive to obtaining answers. Please refrain from adding this to your questions. – halfer Feb 03 '18 at 10:38
  • What prompted you blaming a specific PHP version on this? Was this tested on anything else? Or with the literal database contents and fixed password? (Insufficient details on DB column definition.) – mario Feb 03 '18 at 10:51
  • Always `die()` after `header("Location: xxxx")`. – Xorifelse Feb 03 '18 at 11:06
  • I would put more data but everything is fine, the hash that I get from the database is exactly the same as the one generated in setpass (without spaces or strange characters). The pass field is a varchar (255) and the only thing that does not work correctly is the password_verify function. – Pablo Hermida Mourelle Feb 03 '18 at 11:11
  • @PabloHermidaMourelle to verify the password against that stored in the database must be got from the user password in put , like `password_verify($pass, trim($_POST['pass']))` trim will remove any space from the password . that action will return true. –  Feb 03 '18 at 11:47
  • @dean I've tried it and it does not work – Pablo Hermida Mourelle Feb 03 '18 at 22:43

1 Answers1

0

I was having the same problem, what solved it for me was adding options to the password_hash function

like this

    $options = $options = [
        'memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST,
        'time_cost'   => PASSWORD_ARGON2_DEFAULT_TIME_COST,
        'threads'     => PASSWORD_ARGON2_DEFAULT_THREADS,
    ];
    $password2 = password_hash('1234567890', PASSWORD_ARGON2I, $options);

After that it worked perfectly

Chris Gomez
  • 6,644
  • 4
  • 18
  • 39