PHP password_verify false negative

Question

Background - I have spent the last hour or so looking through various posts sites and so on to see why my password checking function has suddenly stopped working.

Every time I try to use it, it returns false, including when the inputted password is correct.

I have echoed my input and my hash, both of which match fine (by comparing the hash in the table to the one echoed).

However, when these variables are put through password_verify, it returns false 100% of the time.

What do I think is wrong? - Based on a post from an external site, I think this is due to the way that my hashedPassword variable is being parsed. When is compares the two, something goes wrong in the variable type and returns false.

What does my code and database look like? -

users table. Contains other columns.

userId | username | password
----------------------------
  1    | example  |  temp1

Class containing the password checker function. (Have trimmed away try/catch)

public function checkPasswordCorrect($username, $password) {  // Returns true is the entered password is correct and false if it isn't.

   // This creates a mysqli context to run the connection through.
   $mysqli = new mysqli($this->dbHost, $this->dbUsername, $this->dbPassword, $this->dbPlusPlus);

   // If there is an error connecting to the database, it will be printed and the process will close.
   if (mysqli_connect_errno()) {
       printf("Connect failed: %s\n", mysqli_connect_error());
       exit();
   }

   $sql = "SELECT password FROM users WHERE username='$username'";
   $result = $mysqli->query($sql);
   $row = $result->fetch_array(MYSQLI_ASSOC);

   $hashedPassword = $row["password"];

   $mysqli->close();

   echo $password."<br>".$hashedPassword."<br>"; // The input is correct and the hash matches that in the table.

   // We return a value of true or false, depending on the outcome of the verification.
   if(password_verify($password, $hashedPassword)) {
       echo "return true";
       return true;
   }          
   else {
       echo "return false";
       return false;
   }
}

By echoing $hashedPassword just before using password_verify, the hash matches by manually checking it, as you can see by the output below.

temp0022
$2y$10$9TgjJzSaqOB
return false

What am I asking? -

Is there a better way of checking password inputs, more specifically, the way I'm pulling the information from the table (there must be some simpler way of doing this).
Is the variable parsing to blame? Is there any documentation or articles available for this topic that I haven't seen?

What am I aware of? - My usage of mysqli is shocking, I'm new to it. I am also aware that there are similar answers out there, but seem to be down to some kind of syntax error more than anything else.

Thank you for taking the time to help! :D

For all of those of you who are worried that I'm going to be hit by SQL injection attacks: I have since modified this example code massively and am using prepared, statements. Thank you for your concern :)

How many characters do you allow for the `password`-field in the database? The password it prints is too short and have been truncated. Generated password hashes (using password_verity()) is about 60 chars in length. If you have a varchar-field that's shorter, the full hash won't be saved. — M. Eriksson, Aug 25 '17 at 17:35
I find it kind of ironic that you hash your passwords but do not try to prevent [SQL Injection](http://bobby-tables.com/), almost like you only want half of your system to be secure — GrumpyCrouton, Aug 25 '17 at 17:37
[Little Bobby](http://bobby-tables.com/) says **[you are at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](https://stackoverflow.com/q/5741187)** is not safe! I recommend `PDO`, which I [wrote a function for](http://paragoncds.com/grumpy/pdoquery/#function) to make it extremely **easy**, very **clean**, and way more **secure** than using non-parameterized queries. — GrumpyCrouton, Aug 25 '17 at 17:37
@MagnusEriksson The `password` field is of type `VARCHAR(18)`. The verification has worked in the past. @GrumpyCrouton This is temporary code. Start from the bottom and work your way up.# — Will, Aug 25 '17 at 17:38
Just to be sure, was the hashed password created with `password_hash`? — Don't Panic, Aug 25 '17 at 17:38
varchar(18) can never have worked with password_hash(), since the hashes it generates is _longer_ than 18 chars. Change it to _at least_ 60 (they can come to be longer in the future), hash a password again (the existing is beyond saving) and try again. — M. Eriksson, Aug 25 '17 at 17:39

ishegg · Accepted Answer · 2017-08-25T18:30:25.303

4

Check your table structure. Your hash field needs to be of length 60 (for PASSWORD_BCRYPT) or 255 (for PASSWORD_DEFAULT) (ref) to save the whole hash. What you got from the database is 18 characters long. You probably have it as VARCHAR(18), so it's getting truncated upon saving, which is why you're not getting a match.

Edit: Added length for the PASSWORD_DEFAULT algorithm. Thanks @Don'tPanic.

edited Aug 25 '17 at 18:30

answered Aug 25 '17 at 17:38

ishegg

9,407
3
14
30

1

[The PHP documentation](http://php.net/manual/en/function.password-hash.php) recommends a length of 255. – Don't Panic Aug 25 '17 at 17:42
@Don'tPanic I'll edit that in, to note it along the BCRYPT length. Thanks! – ishegg Aug 25 '17 at 17:43
I would remove any and all questions from your answer, answers should be answers, not questions. – GrumpyCrouton Aug 25 '17 at 18:26
It was more of a rhetorical question. I edited it out anway. Thanks. – ishegg Aug 25 '17 at 18:30

PHP password_verify false negative

1 Answers1