Why is PHP's `password_verify` Returning False?

Troubleshooting Password_Verify Returning False

As you're using PHP 5.5 to verify a hashed password with password_verify, it's essential to investigate the potential reasons for its unexpected false return.

Column Length Consideration

One common issue with password_verify stems from the length of the hashed password stored in the database. The manual recommends storing hashedpasswords in a column that can hold more than 60 characters, with 255 being an optimal choice. If your database column is too short to accommodate the hashed password generated by PHP's password hashing functions, it can lead to incorrect verification results.

Therefore, verify your database column has sufficient length to store thehashed password. If the column is indeed too short, expand it to an appropriate size (e.g., 255 characters) and ensure that the stored hashed password is updated accordingly.

Additional Troubleshooting Tips

Beyond column length, there might be other factors contributing to the false return:

• Incorrect password hashing: Double-check that you're using the correct hashing function and salt when generating the hashed password for storage.
• Data type mismatch: In your PHP code, ensure that both the user-provided password and the hashed password retrieved from the database are of the same data type (e.g., both strings).
• Trailing whitespace: Remove any trailing whitespace from the user-provided password and the hashed password before verifying them.
• Deprecated functions: Make sure you're using the current version of PHP and the correct password hashing functions. Avoid using deprecated functions like md5 or sha1.

The above is the detailed content of Why is PHP's `password_verify` Returning False?. For more information, please follow other related articles on the PHP Chinese website!