Clever Geek Handbook

Php password_hash and password_verify looked still not working

UPDATE So this is an awkward stupid admission, but the problem was that the hash I saved in the database was a hash of the "password" including quotes , there was no problem with the queries I wrote, the problem was between the chair and the keyboard.

So this is a frequently asked question and I have looked all over the stackoverflow and google stack trying to find the answer and it didn't work out for you.

I have a table of "agents" with logins and passwords assigned to each agent. The password field is varchar with a length of 255.

Here's my PHP code:

     $conn = new mysqli( "localhost", "VABEN", "**********", "VABen" );
     if( $conn->connect_error )
     {
        die( "Connection failed!" . $conn->connect_error );
     }
     $username = $_POST["username"];
     $password = $_POST["password"];

     $s = $conn->prepare( "SELECT `agent_password` FROM `VABen`.`agents` WHERE `agent_login`=?" );
     $s->bind_param( "s", $username );
     $s->execute();

     $hash = $s->get_result();
     $hash = $hash->fetch_array( MYSQLI_ASSOC );

     $testpw = password_hash( 'password', PASSWORD_DEFAULT );
     echo "Comparing submitted password to locally created hash $testpw which has a length of " . strlen($testpw) . "<br>";
     if( password_verify( $password, $testpw ) )
     {
        echo "Password '$password' matches with hash $testpw<br>";
     }
     else
     {
        echo "Password '$password' does not match with hash $testpw<br>";
     }
     echo "<br>";

     echo "Supplied Password: '$password'<br>";
     echo "Queried Hash: " . $hash['agent_password'] . " which has a length of " . strlen( $hash['agent_password'] ) . "<br>";
     echo "Result of password_verify: ";
     if( password_verify( $password, $hash['agent_password'] ) )
        echo "true<br>";
     else
        echo "false<br>";

I'm at a loss. This seems to work when I supply a locally created copy of password_hash, and if I use that locally created copy on a MySQL database, it fails.

Any ideas?

+3


source to share


1 answer


Save hash

Have you checked what the agent_password

hash generated with:

password_hash( $password, PASSWORD_DEFAULT );

Check PDO standards

This probably has no effect, but bindParam

standards should be followed for different options . If you use the method ?

then:

 $s->bind_param( 1, $username );

There are some odd PDO implementations in the script, try tweaking:

 $s->execute();

 //$hash = $s->get_result();
 //$hash = $hash->fetch_array( MYSQLI_ASSOC );
 $hash = $s->fetchColumn();


Change subsequent calls to $hash['agent_password']

only $hash

.

Basic testing operations

Check the following:

// $password = $_POST["password"];
$password = "password";

Then also try saving that hash and retrieving it from mysql again before the final verification step.

Finally

I deeply suspect that what is stored in agent_password

does not actually have a password hashed with password_hash

.

+1


source






More articles:


All Articles