-1

i'm working on a passowrd reset but the issue i'm having is that when ever the password is about to get update for some reason it changes here is my code

>?php
if ($password == $confirmpassword)
    {
        echo "$password";
        echo "</br>";
        //has and secure the password

        $npassword = password_hash('$password', PASSWORD_BCRYPT, array('cost' => 10));
         echo "$npassword";

        // Update the user's password
            $query = $conn->prepare('UPDATE users SET password = :password WHERE email = :email');
            $query->bindParam(':password', $npassword);
            $query->bindParam(':email', $email);
            $query->execute();
            $conn = null;
        echo "Your password has been successfully reset.";
    }
    else
        echo "Your password's do not match.";
}


 ?>

example im trying to use demo123 as password when i echo $password i do get demo123, when i echo $npassword i get a code and when i manually do

>?php   $npassword = password_hash('demo123', PASSWORD_BCRYPT, array('cost' => 10));?>

i get another hash Now this has does work if i add it manually if i use the variable $password i get another code wrong by the way cause i cant login but if i do it manual and update it then demo123 works.

what am i doing wrong, I'm a newbie

walter alexander
  • 179
  • 2
  • 18
  • Try `var_dump($password);` instead of echo and post the results, there's probably a white-space or some special character at the end. – ccKep Jan 31 '17 at 00:10
  • 1
    Also: You don't need to encapsulate your variables in quotes if you want to use them (eg. `echo $password;` or `... = password_hash($password, ...)` would have been enough). Actually, this is your mistake, you're generating the hash of the string `$password` and not of `demo123`. – ccKep Jan 31 '17 at 00:13
  • string(7) "demo123" is all i get – walter alexander Jan 31 '17 at 00:16
  • spent hours on this and never noticed that, you right that's why it would've never work, thanks it works now – walter alexander Jan 31 '17 at 00:19

2 Answers2

1

If you want to use variables in strings you have to use double-quotes ("). In your case though, since you're using variables exlusively and not adding anything to them, you can just remove your quotes:

$npassword = password_hash($password, PASSWORD_BCRYPT, array('cost' => 10));

Also, since cost already defaults to 10 you can just omit that aswell:

$npassword = password_hash($password, PASSWORD_BCRYPT);
ccKep
  • 5,786
  • 19
  • 31
0

password_hash results are always different, you can't query mysql by generated hash, you need to get the user and do password_verify ($password, $hash); instead

where $password is 'demo123' and $hash is password column value from DB

Avik Aghajanyan
  • 993
  • 9
  • 14