Php password_hash and password_verify looked still not working
UPDATE So this is an awkward stupid admission, but the problem was that the hash I saved in the database was a hash of the "password" including quotes , there was no problem with the queries I wrote, the problem was between the chair and the keyboard.
So this is a frequently asked question and I have looked all over the stackoverflow and google stack trying to find the answer and it didn't work out for you.
I have a table of "agents" with logins and passwords assigned to each agent. The password field is varchar with a length of 255.
Here's my PHP code:
$conn = new mysqli( "localhost", "VABEN", "**********", "VABen" );
if( $conn->connect_error )
{
die( "Connection failed!" . $conn->connect_error );
}
$username = $_POST["username"];
$password = $_POST["password"];
$s = $conn->prepare( "SELECT `agent_password` FROM `VABen`.`agents` WHERE `agent_login`=?" );
$s->bind_param( "s", $username );
$s->execute();
$hash = $s->get_result();
$hash = $hash->fetch_array( MYSQLI_ASSOC );
$testpw = password_hash( 'password', PASSWORD_DEFAULT );
echo "Comparing submitted password to locally created hash $testpw which has a length of " . strlen($testpw) . "<br>";
if( password_verify( $password, $testpw ) )
{
echo "Password '$password' matches with hash $testpw<br>";
}
else
{
echo "Password '$password' does not match with hash $testpw<br>";
}
echo "<br>";
echo "Supplied Password: '$password'<br>";
echo "Queried Hash: " . $hash['agent_password'] . " which has a length of " . strlen( $hash['agent_password'] ) . "<br>";
echo "Result of password_verify: ";
if( password_verify( $password, $hash['agent_password'] ) )
echo "true<br>";
else
echo "false<br>";
I'm at a loss. This seems to work when I supply a locally created copy of password_hash, and if I use that locally created copy on a MySQL database, it fails.
Any ideas?
source to share
Save hash
Have you checked what the agent_password
hash generated with:
password_hash( $password, PASSWORD_DEFAULT );
Check PDO standards
This probably has no effect, but bindParam
standards should be followed for different options . If you use the method ?
then:
$s->bind_param( 1, $username );
There are some odd PDO implementations in the script, try tweaking:
$s->execute();
//$hash = $s->get_result();
//$hash = $hash->fetch_array( MYSQLI_ASSOC );
$hash = $s->fetchColumn();
Change subsequent calls to $hash['agent_password']
only $hash
.
Basic testing operations
Check the following:
// $password = $_POST["password"];
$password = "password";
Then also try saving that hash and retrieving it from mysql again before the final verification step.
Finally
I deeply suspect that what is stored in agent_password
does not actually have a password hashed with password_hash
.
source to share