password_verify failing to verify password created with password_hash PHP

thekeemo · May 27, 2016

I will add protection against injection as soon as I get everything actually working

Echoing `$hash` gives me the value stored into the DB without issue
Echoing `$user` gives me the value stored into the DB without issue
Echoing `$password` gives me the value stored into the DB without issue
So what is going here?

Registration

    $password = '$_POST[user_password]';
    $hash = password_hash($password, PASSWORD_DEFAULT);
    $sql="INSERT INTO users (user_first,user_last,user_name,user_email,user_photo,user_password)VALUES('$_POST[user_first]','$_POST[user_last]','$_POST[user_name]','$_POST[user_email]','$_POST[user_photo]','{$hash}')";

Login

    mysqli_select_db($con,$DATABASE);
    //check logged in
    if ($_SERVER["REQUEST_METHOD"] === "POST") {
        $user = $_POST['user_name'];
        $password = $_POST['user_password'];
        $hashobj = mysqli_query($con,"SELECT user_password FROM users WHERE user_name = '$user'");
        $hasharray = mysqli_fetch_assoc($hashobj);
        $hash = implode($hasharray);
        if (password_verify($password,$hash)) { 
        echo 'Password is valid!'; 
        } else { 
        echo 'Invalid password.'; }
    }
    mysqli_close($con);
    ?>

fizzlesticks · May 27, 2016

$password = '$_POST[user_password]';

Do you actually want to give everyone the password $_POST[user_password]

or should that be

$password = $_POST['user_password'];

thekeemo · May 27, 2016

7 minutes ago, fizzlesticks said:
$password = '$_POST[user_password]';
Do you actually want to give everyone the password $_POST[user_password]

or should that be
$password = $_POST['user_password'];

did I really forget the ' ' (facepalm)

but that is not it

when I echo $password it gives me the actual value

when I put the password and hashed password right into the password_verify it still doesnt work.

fizzlesticks · May 27, 2016

18 minutes ago, thekeemo said:

when I echo $password it gives me the actual value

When you echo $password in the registration file it gives you the actual value? and not "$_POST[user_password]" ?

Also could you post the hash from the login script after doing

$hash = implode($hasharray);

thekeemo · May 27, 2016

13 minutes ago, fizzlesticks said:
When you echo $password in the registration file it gives you the actual value? and not "$_POST[user_password]" ?

Also could you post the hash from the login script after doing
$hash = implode($hasharray);

Correct. Apprentice I had the ' ' in the code but not here..

I reran it and now it is telling me

Warning: implode(): Argument must be an array

echoing hasharray also doesnt say array anymore

thekeemo · May 27, 2016

38 minutes ago, fizzlesticks said:
When you echo $password in the registration file it gives you the actual value? and not "$_POST[user_password]" ?

Also could you post the hash from the login script after doing
$hash = implode($hasharray);

Doing this makes it show the correct hash

<?php
session_start();
include_once("header.php");
?>
<?php
mysqli_select_db($con,$DATABASE);
//check logged in
if ($_SERVER["REQUEST_METHOD"] === "POST") {
	$user = $_POST['user_name'];
	$password = $_POST['user_password'];
	$hashobj = mysqli_query($con,"SELECT user_password FROM users WHERE user_name = '$user'");
	$hasharray = mysqli_fetch_assoc($hashobj);
	echo $hasharray . "<br>";
	$hash = $hasharray['user_password'];
	echo $hash . "<br>";
	if (password_verify($user,$hash)) { 
    echo 'Password is valid!'; 
	} else { 
    echo 'Invalid password.'; 
	}
}
mysqli_close($con);
?>

hash in DB

$2y$10$6.iTrFmZuvR3zg34U0G0bOy6/B1QVA0gYfRbh7JikIjkL8no1REtm

echo

$2y$10$6.iTrFmZuvR3zg34U0G0bOy6/B1QVA0gYfRbh7JikIjkL8no1REtm

fizzlesticks · May 27, 2016

The problem is/was your registration page. The value you have stored in the database is a hash for the literal string '$_POST[user_password]'

Doing

password_verify('$_POST[user_password]', '$2y$10$6.iTrFmZuvR3zg34U0G0bOy6/B1QVA0gYfRbh7JikIjkL8no1REtm');

returns true.

thekeemo · May 27, 2016

19 minutes ago, fizzlesticks said:
The problem is/was your registration page. The value you have stored in the database is a hash for the literal string '$_POST[user_password]'

Doing
password_verify('$_POST[user_password]', '$2y$10$6.iTrFmZuvR3zg34U0G0bOy6/B1QVA0gYfRbh7JikIjkL8no1REtm');
returns true.

Thank you got it to work

for some reason I had '$_POST[user_password] '

Sign In

password_verify failing to verify password created with password_hash PHP

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Link to comment

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Featured Topics

Topics

Latest From Linus Tech Tips:

Is Future Proofing Stupid?

Latest From Tech Quickie:

Are Your PC Components TOO BIG?

Latest From TechLinked:

Encryption Could Be Ruined

Latest From GameLinked:

Are you excited for Doom: The Dark Ages? - Gamers 2 Gamers

Latest From ShortCircuit:

Dang, projectors have CHANGED - Dangbei Mars Pro 2

Latest From Mac Address:

The way you use Apple is about change

Latest From Channel Super Fun:

I Swapped the CEO's Assistant For a Day!