Issues using password_hash() and password_verify()

Question

So I'm hitting my head against a brick wall here, I can't seem to figure out what I am doing wrong. I've looked everywhere and tried to implement all the answers but to no avail! I'm quite sure that it has something to do with the input into the SQL database, but I'm not sure what it is.

First, here is the code to input a users password from the form into the database. I and reasonably new to all this but I know about SQL injections (http://php.net/manual/en/security.database.sql-injection.php), and was planning on figuring that stuff out when I got this passwords working, and now its 4 hours later. Here's the database input code:

$user_id = mysqli_real_escape_string($mysqli,$_POST['user_id']);
$getpassword = mysqli_real_escape_string($mysqli,$_POST['password']);
$password = password_hash($getpassword, PASSWORD_DEFAULT);
$sql = "INSERT INTO `members` (`user_id`, `password`) VALUES ('$user_id', '$password')";
    $insertRow = mysqli_query($mysqli, $sql);
    if($insertRow){
print 'Success! ID of last inserted record is : ' .$mysqli->insert_id .'<br />';
}else{
    die('Error : ('. $mysqli->errno .') '. $mysqli->error);
}

That inputs it into the database no problem. The password field of the database is a VARCHAR (225) with utf8_unicode_ci encoding.

On my login page (also index.php) here is the code to verify the password that has been entered:

if(isset($_POST['login']))
{
 $username = mysqli_real_escape_string($mysqli, $_POST['username']);
 $password = mysqli_real_escape_string($mysqli, $_POST['password']);
 $res=mysqli_query($mysqli, "SELECT * FROM members WHERE user_id= '$username'");
 $row=mysqli_fetch_assoc($res);
 $hash = $row['password'];
 $verified = password_verify($password, $hash);
 if($verified)
 {
  $_SESSION['user'] = $row["user_id"];
   echo "Verification succeeded";
 } else 
 {
echo "Verification Failed";
 } 
}

It seems that not matter what I try it always returns "Verification Failed". When I cut and paste the hashed password that has been entered into the database, and run the code like this

$verified = password_verify($password, '$2y$10$QxFTdQZT7J2LqulNsRUWPO2LxBS5hmS3NeqLtEtQMEhtbIjoj6LNa');

it still returns "Verification Failed", which makes me suspect that it is something to do with what is happening as I am putting into the database.

I've check all these links and yet it seems that I must be doing something completely different (and most likely completely stupid and obvious):

php password_hash and password_verify looked all over still doesn't work

php password_verify not working with database

php password_verify not working

password_verify php not match

http://forums.phpfreaks.com/topic/283407-need-help-with-password-verify/

Anyway, its doing my head in, hopefully someone can see what (probably) obvious mistake that I have made.

Cheers

You probably don't want to `mysqli_real_escape_string()` the password before passing it to `password_hash()` and `password_verify()`. (It's the result of `password_hash()` you'd want to escape, since that's what's actually going into the database.) — jbafford, Jan 09 '16 at 06:22
@Matt here is 'password' hashed `$2y$10$7Z1JiXJdnSba7upmkf5Rie00XsNCiRFgYoFUzbMHiXiqGiCCm9E5m` Interestingly enough, I have used the same password on several test users the output always changes, however I assume this is supposed to happen? — Thomas Sawade, Jan 09 '16 at 06:35
@jbafford Good pickup, I've changed the code to reflect this, but no change in the outcome: `$getpassword = $_POST['password']; $passwordNotEscaped = password_hash($getpassword, PASSWORD_DEFAULT); $password = mysqli_real_escape_string($mysqli, $passwordNotEscaped);` — Thomas Sawade, Jan 09 '16 at 06:38
That has is actually a hash of the empty string, so it doesn't appear you're getting the password from the user correctly. (`password_verify('', '$2y$10$7Z1JiXJdnSba7upmkf5Rie00XsNCiRFgYoFUzbMHiXiqGiCCm9E5m') == true`) — jbafford, Jan 09 '16 at 06:45
Why don't you remove any `mysqli_real_escape_string()` when dealing with the password. Including during hashing, inserting into db, when user log in(the `$_POST['password`] — frz3993, Jan 09 '16 at 06:45
Have you tried the same thing in login page? i.e. remove `mysqli_real_escape_string()` from `$_POST` values you receive and see if it works. — Rehmat, Jan 09 '16 at 06:45
And I suggest the field for password should be of binary data type. — frz3993, Jan 09 '16 at 06:49
@jbafford A good catch.. It means that register page doesn't hash the password (or you aren't able to catch the password from registration form). All happening is the hash of an empty string is generated and inserted into DB. — Rehmat, Jan 09 '16 at 06:49
@jbafford The hash provided in the question is also a hash of the empty string (`password_verify('', '$2y$10$QxFTdQZT7J2LqulNsRUWPO2LxBS5hmS3NeqLtEtQMEhtbIjoj6LNa') == true`). Definitely means the password is not being read from the form correctly. — patricus, Jan 09 '16 at 06:51

score 0 · Answer 1 · answered Jan 09 '16 at 06:55

@jbafford Thank you! You were exactly right, the problem code lay in my form that was sending the information. I just never picked it up because when I'd echo each of the results to see if the code was receiving them from the form, the password would always show up as a hashed entity so I figured all was well. Here was the problem code:

<input type="password" class="form-control" id="password" required="required" placeholder="Enter Password">

For whatever silly reason I used 'id' instead of 'name'. Fixed it to this

<input type="password" class="form-control" name="password" required="required" placeholder="Enter Password">

and all is good! Thanks for everyone's help, now I can get on with this thing!

Issues using password_hash() and password_verify()

1 Answers1