mysql - php password_verify() hash and pass won't match

Question

I store my passwords in my database hashed with password_hash(), and I am trying to verify the passwords on login with password_verify(). For some reason password_verify() keeps returning false.

I read the documentation on this function and it said to make sure that the hash used in the function is between single quotes ' ' otherwise it will read the hash like it is three variables because of the $'s, so i tried writing $valid like this '$valid'. But that didn't work.

When I echo $valid the output is $2y$10$zzZCN7UlukvY2skb3ELVp.4y3Oc7NJTEsFyqdstqYxT

When I echo $check the output is 123, which is the password used to create the account.

This is the part of my login.php, and this is where I feel the problem is.

$emailLogin = mysqli_real_escape_string($con, $_POST['emailLogin']);

$passLogin = mysqli_real_escape_string($con, $_POST['passLogin']);

$query = "SELECT `pass` FROM `user` WHERE `email`='$emailLogin'";

$result = mysqli_query($con, $query);

$row = mysqli_fetch_array($result);

$pass = $row['pass']; 

$key = VUP($passLogin, $pass);

This is part of my verify.php

function VUP($check, $valid){

if (password_verify($check, $valid)) {
$key = 1;

} else {
echo 'Invalid password.';
$key = 0;
die();
}
return $key;

}

Also part of verify.php

function SHP($password){

$hash = password_hash('$password', PASSWORD_BCRYPT);

return $hash;

}

Any advice would be very helpful.

Answer 1

"When I echo $valid the output is $2y$10$zzZCN7UlukvY2skb3ELVp.4y3Oc7NJTEsFyqdstqYxT"

$2y$10$zzZCN7UlukvY2skb3ELVp.4y3Oc7NJTEsFyqdstqYxT the hash is only 50 in length and is invalid/too short and as I said, MySQL will fail silently; error reporting/checking would not have helped here.

The password's column length should be 60 (255 is suggested), so it wasn't stored correctly originally.

You will need to clear your password column/or table, increase your column's length, and start over again.

Reference:

• http://php.net/manual/en/function.password-hash.php

"Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)."

---

You can also modify your query to read as:

$con = new mysqli("xxx", "xxx", "xxx", "xxx");
if ($con->connect_error) {
    die('Connect Error (' . $con->connect_errno . ') '
            . $con->connect_error);
}

$query = "SELECT `pass` FROM `user` WHERE `email`='$emailLogin'";
$result = $con->query($query);

// error checking on the query
if (!$result) {
    echo "<p>There was an error in query: $query</p>";
    echo $con->error;
}

$row_hash = $result->fetch_array();
if (password_verify($passLogin, $row_hash['pass'])) {
    echo "Success!";
}

---

Edit:

Adding from a comment I left to the OP:

Your verify function needs to have a connection made to your database, that is what I feel is happening here (variable scope). So you'll need to either use global $con; or pass the connection (variable) to your function (which is better in most cases).

I don't know if you're doing an "include" for the function, and if so, then that's what the other problem is.

I.e.: function VUP($con, $check, $valid){ or function VUP($check, $valid){ global $con; - Try both. Use $result = mysqli_query($con, $query) or die(mysqli_error($con)); instead of the one you have now.