Password verify not working with password hash BCRYPT

Question

I'm currently working on a PHP login, the password is encrypted on another file using password_hash('password',PASSWORD_BCRYPT), I'm actually retrieving data from mySQL, and getting data from a AJAX call, but I have declared variables for showing my problem:

<?php
require "modulos/conexion.php";
session_start();
if (!isset($_SESSION['username']) && !isset($_SESSION['userid'])) {
    $usuario = "mariano overs";
    $pass = "1234";
    $passdb = '$2y$10$A1nr4od4OjP0N1hNoB9Seur3OsWzU3ufT4G82XNTLV3'; // equivalent of password_hash('1234',PASSWORD_BCRYPT), this is value from DB
    $sql = 'SELECT id_usua, co_usua, ds_pass FROM dbfar_cabusuarios WHERE co_usua="' . $usuario . '" LIMIT 1';
    if ($res = mysqli_query($GLOBALS['conexion'],$sql)) {
        if (mysqli_num_rows($res) == 1) {
            $usuario = mysqli_fetch_array($res, MYSQLI_ASSOC);
            echo "Contrasena guardada: ". $pass . "<br />Contrasena de la base: " . $usuario['ds_pass'] . "<br />";
            if (password_verify($pass, $passdb)){
                $_SESSION['username'] = $usuario['co_usua'];
                $_SESSION['userid'] = $usuario['id_usua'];
                echo "INICIO SESION CORRECTAMENTE";
            }
            else{
                echo "INICIO SESION NO CORRECTO";
            }

        } else {
            echo "REGISTROS NO CORRECTOS";
        }
    } else {
        echo "USUARIO NO EXISTE";
    }
}

Since I know I get the right value from database, is not the problem there, but on the password_verify function. They are not correctly validated. Is there an additional value I need to include on the password_verify?

No, you're using it correctly. Are there aqy errors in your error log? — Jay Blanchard, Nov 03 '15 at 18:09
*"I've my money on that Sam"* ^ @JayBlanchard wanna take 10 to 1 odds? ;-) — Funk Forty Niner, Nov 03 '15 at 18:22
I might have to get some of that fried chicken off you Sam @JayBlanchard the way it's going now. — Funk Forty Niner, Nov 03 '15 at 18:23
I'm getting hungrier by the minute Sam @JayBlanchard you've any Gumbo too? — Funk Forty Niner, Nov 03 '15 at 18:40
I haven't checked error log, but field format is varchar(50) — David Ortega, Nov 03 '15 at 18:48
@Forcefield as outlined in my answer. Your answer is in there ;-) — Funk Forty Niner, Nov 03 '15 at 18:49
@Fred-ii- mySQL query doesn't throw any error when inserting, does it? *i will die slowly* — David Ortega, Nov 03 '15 at 18:51
@Forcefield It will fail silently, yes because of it. Increase the column's size. Delete your stored hashes, alter your column to be long enough to accomodate the hash, store a new hash, then query again. It's all in my answer below. — Funk Forty Niner, Nov 03 '15 at 18:53
@Fred-ii- I really will feel stupid, and this question will surely get downvoted :( — David Ortega, Nov 03 '15 at 18:55
@Forcefield I doubt that and don't feel so bad. We should close the question and mark it as solved then, since my answer mentions everything that needs to be done. — Funk Forty Niner, Nov 03 '15 at 18:56

score 1 · Accepted Answer · edited May 23 '17 at 10:27

The hashed password holds a 60-72 character long string.

The column needs to be long enough in order to accomodate the hash.

http://php.net/manual/en/function.password-hash.php

The manual suggests 255 in order to accomodate for the future.

You will need to start over and alter your column so that it is long enough.

Do that, store a new hash and start over.

60 characters: (from the manual)
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

and you have a 50 long: (there you go; too short)

$2y$10$A1nr4od4OjP0N1hNoB9Seur3OsWzU3ufT4G82XNTLV3

that tells me that it's been truncated.

The manual states:

Caution

Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.

Reference:

http://php.net/manual/en/function.password-hash.php

As an added bonus:

Your code is prone to an SQL injection. Best to use a prepared statement.

This was, in fact, the issue. Field length was 50, changed to 72 and works fine :) — David Ortega, Nov 03 '15 at 19:02

Password verify not working with password hash BCRYPT

1 Answers1

Linked