Why is the Password_Verify() Function Not Verifying Hashed Passwords?

PHP password_hash(), password_verify()

In your registration script, you're using PHP's password_hash() function to encrypt user passwords and storing them in the database. When users attempt to log in, you're using password_verify() to compare the entered password with the hashed version in the database. However, the passwords don't match, indicating an issue in your password_verify() call.

password_verify() Usage

password_verify() takes two parameters:

• $password: The plain-text password entered by the user during login.
• $hash: The hashed password stored in the database.

It compares the plain-text password with the hashed version and returns true if they match or false if they don't.

Your Code Issue

In your login script, you're passing the plain-text password ($pwd) and the hashed password ($password) to password_verify():

if(($user_id == $p_num) && (password_verify($pwd, $password))){

However, you're also using var_dump() to inspect the variables during the comparison, which can alter their values. The var_dump() output shows that the plain-text password ($pwd) is being modified to "1", while the hashed password ($password) remains the same as stored in the database.

Correct Usage

To fix the issue, remove the var_dump() calls from your code and ensure that $pwd contains the plain-text password entered by the user during login. Your login code should look something like this:

if(($user_id == $p_num) && (password_verify($pwd, $password))){

The above is the detailed content of Why is the Password_Verify() Function Not Verifying Hashed Passwords?. For more information, please follow other related articles on the PHP Chinese website!