php password_hash and password_verify issues no match

Question

I am trying out a new function from PHP 5.5 called password_hash().

No matter what i do the $hash and the $password wont match.

$password = "test";

$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";



if (password_verify($password, $hash)) {
    echo "Success";
}
else {
    echo "Error";
}

Are you receiving any error messages, notices or warnings? What is the output of the variables if you echo them directly? — mtaanquist, Nov 08 '13 at 09:39
The hash is saved in a db. I do have a html form where i try to login just to emulate a simple login page. — Daniel, Nov 08 '13 at 09:44
Based on what you said, thats a problem with your saving/retrieving code (to/from db). Please post that code too... As it currently stands, your code is perfectly valid. — initramfs, Nov 08 '13 at 09:47
Its really just a simple "SELECT * FROM testhash WHERE id=1". — Daniel, Nov 08 '13 at 09:48
You should post the full requirement on the question instead of asking requirement one by one. — Shankar Narayana Damodaran, Nov 08 '13 at 09:50
Print out $hash before storage and after retrieval to confirm. Me and everyone else who posted an answer has verified it to work. Unless its a bug in PHP itself (unlikely) its a problem with your db access. Check you're not including extra spaces or accidentally modifying anything. — initramfs, Nov 08 '13 at 09:52
ok.. I even tried to copy & paste the $hash into a new php file and just do the password_verify(). i cant get it to verify. The code is so simple now, that there cant be any whitespaces, or anything at all. I tried to remake the $hash several times, it wont give me a success. — Daniel, Nov 08 '13 at 09:53
How about you create a completely blank php document and copy/paste Shankar Damodaran's code. Verify that to work first... — initramfs, Nov 08 '13 at 09:55
ok.. that i tried long ago. If i put everything in just 1 file it works. But since i am not doing that, i dont start of from that point. — Daniel, Nov 08 '13 at 09:56
Well... Simple logic then... If the hash generated from `password_hash()` is the same as the hash passed to `password_verify()`, you have verified it to work (assumed from your last comment). You **ARE** modifying the hash in your code somewhere... The question is where. Remember, it has to be a perfect copy, no hidden characters or whitespace... Regarding the hash `$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e` and the password `test`. My `password_verify()` returns true. — initramfs, Nov 08 '13 at 10:03
Yea.. hmm.. did you just copy the lines i posted in the end of my queston, without adding anything new code at all? — Daniel, Nov 08 '13 at 10:07
See my solution, its a problem with your quote marks... Seems like we all missed it. :) — initramfs, Nov 08 '13 at 10:17

score 51 · Accepted Answer · answered Nov 08 '13 at 10:16

The problem with your code is that you are using the double quotation marks " instead of the single quotation marks ' when dealing with your hash.

When assigning:

$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";

It's making php think you have a variable called $2y and another one called $10 and finally a third one called $fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e. Which obviously isn't the case.

I noticed when turning on error reporting that the error:

Notice: Undefined variable: fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e

Was being thrown by PHP.

Replace all your double quote marks with single quote marks to fix.

E.g

$hash = '$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e';

Treats the whole hash as a literal string instead of a string with embedded variables.

hehe... i love this.. i knew it.. man.. you saved my head and i love how things can be this ironic sometimes. Thanks a lot, and bows from me.. i dident think that way at all.. :) — Daniel, Nov 08 '13 at 10:20
Just adding a problem that I had: when I was generating the password hash on the HTML I always copied with a space on the end, so it never worked. — João Pedro Schmitz, Oct 20 '18 at 18:11

score 12 · Answer 2 · edited Jul 05 '20 at 00:54

12

I had a similar problem with password_verify().

The mistake in my case, it was that I have declared my password field in the database as varchar(30), but the hash is equal or longer to 60 characters..

edited Jul 05 '20 at 00:54

Muhammad Hassaan

7,296
6
30
50

answered Aug 30 '14 at 13:48

Antonis Tzilivakis

121
1
3

4

i read somewhere that they recommend the length of the database field to be 255 characters for future proofing. – EKanadily Aug 17 '16 at 07:34
2

@docesam I read somewhere the database field for passwords should be TEXT for future proofing. – bart Jul 25 '17 at 22:02
Thank you! I read the accepted answer, which was not the one for my case. After reading your answer, I immediately got it! Thanks again! – Sayan J. Das Dec 18 '18 at 07:29
I did exactly the same :) – Blackwolf Jan 12 '23 at 15:41

score 9 · Answer 3 · answered Nov 08 '13 at 09:40

9

Works fine for me.

<?php

$hash=password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>

OUTPUT:

Password is valid!

answered Nov 08 '13 at 09:40

Shankar Narayana Damodaran

68,075
43
96
126

2

Try to save the password and then verify it. What you just did works, but thats not something that can be used. Its just an example. The passwords needs to be stored in a database and then verified. – Daniel Nov 08 '13 at 09:42
The way how you are retrieving the password from db and comparing matters.. You should post that code. – Shankar Narayana Damodaran Nov 08 '13 at 09:54
Please see my question again. I made another example to simplify the matter. – Daniel Nov 08 '13 at 10:01

php password_hash and password_verify issues no match

3 Answers3

Linked

Related