search

Home  >  Q&A  >  body text

Password hashing issue in PHP - password_verify() always returns false

<p>I have a problem with password hashing in PHP. I use the password_hash() function to hash the admin password when registering and store it in the database. However, when logging in, when I try to verify the password using password_verify(), it always returns false, even though I'm sure the password is correct. </p><p>Here is a summary of my code: </p><p><br /></p> <pre class="brush:php;toolbar:false;">$adminPassword = "test123"; $adminPasswordHash = password_hash($adminPassword, PASSWORD_BCRYPT); // ... Store $adminPasswordHash in the database ... // During login: $adminInputPassword = "test123"; $adminPasswordHashVERIFY = "$2y$10$o4qspRTirOSdyGtwHCxt6ee2i0BNChl3mEPazxVbmb534kw3ACHCm"; if (password_verify($adminInputPassword, $adminPasswordHashVERIFY)) { echo "Password is correct!"; } else { echo "Password is incorrect!"; }</pre> <p>I made sure $adminPassword and $adminInputPassword have the same value, but the validation always returns false. I also tried using the password_hash() function and passing PASSWORD_DEFAULT as parameter instead of PASSWORD_BCRYPT, but the result was the same. </p><p>Am I missing something during the hash generation or verification process? Any help or insight into this issue would be greatly appreciated. Thanks! </p><p><br /></p>
P粉481035232P粉481035232546 days ago539

reply all(1)I'll reply

  • P粉099000044

    P粉0990000442023-07-31 13:54:06

    I found the problem! The problem seems to be caused by the use of double quotes (") in the $adminPasswordHashVERIFY variable. When double quotes are used, PHP interprets the string and replaces the variables within it. Since there is no variable named $fReIQ, PHP treats it as un variable defined, causing an incorrect hash value to be generated during verification.

    To resolve this issue, use single quotes (') around the hashed password in the $adminPasswordHashVERIFY variable. This ensures that the hashed password is treated as A normal string instead of being interpreted by PHP.

    Now if you try the following code you will get the output "Password correct! ".


    <?php
$adminPassword = "test123";
$adminPasswordHash = password_hash($adminPassword, PASSWORD_BCRYPT);

$adminInputPassword = "test123";
$adminPasswordHashVERIFY = 'y$o4qspRTirOSdyGtwHCxt6ee2i0BNChl3mEPazxVbmb534kw3ACHCm';

if (password_verify($adminInputPassword, $adminPasswordHashVERIFY)) {
    echo "Password is correct!";
} else {
    echo "Password is incorrect!";
}

?>

    reply
    0
  • Cancelreply