password verify gives out invalid with php version 5.4.16

Question

I do have an older version of php which is 5.4.16 and I downloaded password.php from github

which makes the password_hash() works perfectly. I also inserted it into the database but when I try using the password_verify() I get invalid. I just want to pull out one row of data in the database just to create something for myself to log in.

my db is(db works fine because before I try to add a login I have a list which pulls data from the same database just different table and worked fine)

$db = new PDO('mysql:dbname=database;host=hostip', 'root', 'password');

I created this in php to insert into one row into my table

/*Inserts*/

$password = password_hash('asdf', PASSWORD_BCRYPT, array('cost' => 10));
$username = 'admin';

$insertQuery = $db->prepare("
        INSERT INTO et_todo (username, password)
        VALUES (:username, :password)
    ");

$insertQuery->execute(array(
        'username' => $username,
        'password' => $password
    ));

to try the verify I did this

/* Selects */

$selectQuery = $db->prepare("
        SELECT id, username, password
        FROM et_todo
        WHERE id = :id
    ");

$selectQuery->execute(array(
        'id' => 9  //should be 1 but 9 because I tried few testings 
    ));

$rows = $selectQuery->rowCount() ? $selectQuery : array();

foreach ($rows as $row)
{
        if (password_verify('asdf', $row['password'])) {
        /* Valid */
        echo 'valid';
    } else {
        /* Invalid */
        echo 'invalid';
    }
}

what I get in is invalid though. I couldn't figure out what I did wrong. Am I doing the query wrong?

P.S. If I ran the inserts few times the hashed password in database is different each time even if the password is always 'asdf' (which as mentioned below is normal but just trying to provide as much info as I can)

changed $selectQuery to $selectQuery->fetchAll(PDO::FETCH_ASSOC) so I took out the foreach loop and code as below but still getting invalid instead of valid though

$rows = $selectQuery->rowCount() ? $selectQuery->fetchAll(PDO::FETCH_ASSOC) : array();

echo $rows[0]['password'] . '<br>';

if (password_verify('asdf', $rows[0]['password'])) {
    /* Valid */
    echo 'valid';
} else {
    /* Invalid */
    echo 'invalid';
}

Provide a minimal example (i.e., w/o db involved) - why id=9? — MrTux, Sep 07 '14 at 01:37
db works fine that's why I didn't provide it sorry. WIll do the edits now and id 9 as I said I tried a few testings. I was used the same insert query and figured the hash goes into the database is different each time even though the password I entered is the same.. Guess I left out all those info sryz will do that now — WXR, Sep 07 '14 at 02:06
*"If I ran the inserts few times the hashed password in database is different each time even if the password is always 'asdf'"* - So it should be; it's normal. — Funk Forty Niner, Sep 07 '14 at 02:38

score 5 · Answer 1 · answered Sep 07 '14 at 01:52

5

$selectQuery variable is a PDOStatement Object and in this case thats what your assinging to your variable rows. Instead switch $selectQuery to $selectQuery->fetchAll().

$rows = $selectQuery->rowCount() ? $selectQuery : array();

should be

$rows = $selectQuery->rowCount() ? $selectQuery->fetchAll() : array();

answered Sep 07 '14 at 01:52

winternights83

86
5

still gives me the invalid – WXR Sep 07 '14 at 02:14
try passing $selectQuery->fetchAll(FETCH_ASSOC) and do a var_dump() on $rows. Are you even getting a result? – winternights83 Sep 07 '14 at 02:37
this is what I did `$rows = $selectQuery->rowCount() ? $selectQuery->fetchAll(FETCH_ASSOC) : array(); var_dump($rows);` – WXR Sep 07 '14 at 02:43
and I get errors `Use of undefined constant FETCH_ASSOC - assumed 'FETCH_ASSOC` and `PDOStatement::fetchAll() expects parameter 1 to be long` and `Invalid argument supplied for foreach()` – WXR Sep 07 '14 at 02:44
my mistake its PDO::FETCH_ASSOC. so it would be fetchAll(PDO::FETCH_ASSOC). – winternights83 Sep 07 '14 at 02:47
this is what I get `array (size=1) 0 => array (size=3) 'id' => string '9' (length=1) 'username' => string 'admin' (length=5) 'password' => string '$2y$10$M9jTByJRhu8TIlNDua0dUO5CE5KjfEUDxHXSu1/meIo' (length=50)` pretty much the array of the row – WXR Sep 07 '14 at 08:14
omg I found the problem....was reading more thread and finally found out the reason...thanks nismoracerx for your time! really appreciate it – WXR Sep 07 '14 at 09:02

score 2 · Accepted Answer · edited May 23 '17 at 12:05

PHP - password_verify issue

I finally found the answer in this thread. In my database I had varchar50 for the password which I thought would be good enough and used strlen to check length of the password that's already in the database and it's 50 in length. BUT after I changed to varchar255 and ran another insert and checked the newest length of the new insert and the length is 60! I then rerun the scripts and finally got valid!!

password verify gives out invalid with php version 5.4.16

2 Answers2