Password_Verify always returns false after switching to PDO?

Question

For some reason, Password_Verify is return false, no matter what. I've done a var_dump on the hash that is return from the database, and it is correct (at 60 characters). I know that the password I am inputting is correct. And I know that this exact method worked find prior to me switching over to PDO (From what I read, PDO is more secure. Plus, I like the idea of using parametrized queries).

You can see my old code that was working (it's commented out). What is different about the hash returned by PDO?

<?php
    /* When we have all of the input, try to login */
    if(isset($_POST['id']) && isset($_POST['password'])){

        /* Connect to the database */
        //$dbHandle = new Database();
        //$dbHandle -> connect();

        /* Santitize input to prevent SQL Injection */
        //$password = $dbHandle -> sanitize($_POST['password']);
        //$id       = $dbHandle -> sanitize($_POST['id']);

        $password = $_POST['password'];
        $id = $_POST['id'];

        trim($password);
        trim($id);

        // Query the Database for the users info
        $stmt = $dbHandle -> prepare("SELECT `password`, `admin`, `firstname`, `lastname` FROM users WHERE `id` = :id");
        $stmt -> bindParam(":id", $id, PDO::PARAM_INT);
        $stmt -> execute();
        $result = $stmt -> fetch(PDO::FETCH_ASSOC);

        //$result  = $dbHandle -> query("SELECT `password`, `admin`, `firstname`, `lastname` FROM users WHERE `id`=$id") -> fetch_assoc();
        $hash    = $result['password'];

        echo($hash . "<br>");
        echo(var_dump($hash));
        echo($password);
        echo(var_dump(password_verify($password, $hash)));
        /* Check to see if the user entered the correct password */
        if(password_verify($password, $hash)){

            //Login
            $_SESSION['loggedin'] = true;
            $_SESSION['admin']    = $result['admin'];
            $_SESSION['name']     = $result['firstname'] . ' ' . $result['lastname'];

            /* Update "lastlogin" 
            ** Remember that SQL expects datetime's to be inside single quotes (to make it a string)
            */
            $timestamp = date("Y-m-d h:i:s");
            $dbHandle -> query("UPDATE `users` SET `lastlogin`='$timestamp' WHERE `id`=$id");

            //Send user to home page
            header('Location: home.php');

        } else {
            echo("
                <p style='color:red;'>Wrong ID/Password</p>
            ");
        }
    }
?>

The result of all of those echos and vardumps are as follows

Output of Script

If the `$dbHandle -> sanitize()` altered the raw values and you stored those altered values, they may be different than raw input without that `$dbHandle -> sanitize()` method applied. Try doing those as well, see if passwords and such match. — Rasclatt, May 06 '16 at 19:55
`$dbHandle -> sanitize($string)` Just calls mysqli_real_escape_string on $string. But I'll try that and Post back my findings. — Native Coder, May 09 '16 at 18:56

score 1 · Accepted Answer · answered May 07 '16 at 00:04

1

Check if

$dbHandle -> sanitize($_POST['password']);

and

$password = $_POST['password'];       
trim($password);

produce exactly the same for your passwords.

If not: that's the problem you face. Got nothing to do with PDO, you might have mutilated the passwords before storing the hashes ...

If they are: the code should not fail if you use the correct password.

answered May 07 '16 at 00:04

What I did, just to test the login page was echo `password_hash($password, PASSWORD_DEFAULT)`. I then copied the output, and pasted it into the "password" field of the database (via PHPMYADMIN). This worked perfectly when using the mysqli classes. Now, when I query the database with PDO, I get the same hash. But password_verify fails – Native Coder May 09 '16 at 19:02
**tried to upvote answer, don't have the reputation. Also, can't figure out how to mark as answer. This lead me to the solution** – Native Coder May 09 '16 at 19:15

score 0 · Answer 2 · answered May 09 '16 at 19:13

as it turns out I was calling mysqli_real_escape_string($PASSWORD, $dbHandle) BEFORE hashing the password. Naturally, this changed the hash value altogether.

I solved this by re-inserting the password hash into the database AFTER switching over to PDO.

THIS WAS NOT A PDO ERROR.

Password_Verify always returns false after switching to PDO?

2 Answers2