2

I'm creating a site where a user can login. When they make an account, I save the hashed password in the database. I am trying to user password_verify() in order to confirm the password matches, but it returns false.

To confirm that they match, I print out both the hashed version of what the user typed in and the hashed password that is stored in the database. I know a common problem is that the database password field is too small for the hashed password, but I have tried setting it as both VARCHAR(256) and TEXT to make sure the entire hashed password is stored.

if(isset($_POST['email'])){
     $email = strip_tags(mysqli_real_escape_string($conn, $_POST['email']));
     $password = strip_tags(mysqli_real_escape_string($conn, $_POST['passwd']));
     $sql = "SELECT email, passwd AS hashed_password FROM Accounts WHERE email = '$email'";

     $result = $conn->query($sql);
     $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
     //print the hashed password that is stored in the database
     echo  'stored in the database: '. $row['hashed_password']. '<br>';
     $hash = hash('sha512', $password);
     //print the hashed version of what the user typed in
     echo 'hashed version of what your submitted: '. $hash. '<br>';
     if( password_verify($password, $hash)){
         echo "true";
     }
     else{
         echo 'false';
     }

I expect that password_verify() returns true but it returns false

Here is what i have it currently outputting:

stored in the database: 1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

hashed version of what your submitted: 1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

false

Community
  • 1
  • 1
  • Instead of ```hash('sha512', $password)``` you have to use ```password_hash($password, PASSWORD_DEFAULT)``` for creating password hash and storing inside database – Rajat Sharma Aug 08 '19 at 05:53
  • 1
    Your verify line is using a password re-hashed rather than the password from the database, so use `if( password_verify($password, $row['hashed_password'])){` – Nigel Ren Aug 08 '19 at 05:57
  • Rajat's solution worked. Nigel's is correct but I had tried that previously and it didn't work because I was using hash() instead of password_hash() –  Aug 08 '19 at 06:05
  • Wait actually Nigel is incorrect because the verify line doesn't use the hashed version of what the user entered, I only hashed what the user entered so I could print it and compare. –  Aug 08 '19 at 06:11
  • The verify line hashes the user inputted password itself, so you don't need to hash it again yourself. Currently it will allow any password to work! – Nigel Ren Aug 08 '19 at 06:27

1 Answers1

1

password_verify() works with the function password_hash();

change:

$hash = hash('sha512', $password);

to:

$hash = password_hash($password, PASSWORD_DEFAULT);
Max Shaian
  • 418
  • 4
  • 11
  • BUT, isn't this just re-hashing the password the user has entered, which is then used in `password_verify($password, $hash)` - so it is basically ignoring the password from the database altogether. – Nigel Ren Aug 08 '19 at 06:04
  • That worked, thanks! –  Aug 08 '19 at 06:06
  • Also, the previous commentator was right. There is a logic issue in your code, as you input and check the same password. You should check password from the database instead. It's stored in your $row array, probably in $row['hashed_password']. – Max Shaian Aug 08 '19 at 06:11