PHP password_verify() not validating passwords

Question

My PHP app/database setup requires hashing and dehashing of passwords. While password_hash() appears to provide proper output to the database, comparing the stored hash to the plaintext password using password_verify() provides a FALSE result.

Basic input form (signup_form) or (login_form):

<form action="sign_verify.php" method="post">
    <input id="email_add" class="field" type="text" placeholder="Email" name="email"><br>
    <input id="password" class="field" type="text" placeholder="Password" name="pword"><br>
    <input type="submit" value="Sign Up">
</form>

Hashing and adding to database (signup_verify):

$temail=trim(filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING));
$tpword=trim(filter_input(INPUT_POST, 'pword', FILTER_SANITIZE_STRING));
if (!filter_var($temail, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email address";
}
else {
    $link = array("Database"=>dbName, "UID"=>userName, "PWD"=>userPassword, "MultipleActiveResultSets"=>true);      
    sqlsrv_configure('WarningsReturnAsErrors', 0);
    $link = sqlsrv_connect(serverName, $link);
    if($link === false){
        echo "Connection Failed.<br>";
        die( print_r( sqlsrv_errors(), true));
    }
    else{
        $hpword=password_hash($tpword, PASSWORD_DEFAULT);
        $insertSql = "INSERT INTO Card_score_storage.dbo.customer_cards (Email,Password) VALUES (?,?)";
        $params = array(&$temail,&$hpword);
        $prepareStatement = sqlsrv_prepare($link, $insertSql, $params);
        if ($prepareStatement === false) {
            echo "Looks like something went wrong.";
            echo "<br>";
           die(FormatErrors( sqlsrv_errors() )); 
        }
        else {
            if (sqlsrv_execute($prepareStatement) === false) {
            echo "Looks like something went wrong.";
            echo "<br>";
            die( print_r( sqlsrv_errors(), true));
        }
        else{
            echo "You have successfully signed up with the email: $temail <br>";
            echo "<a href='index.php'>Return to our main page</a>";
        }

Password_verify() validation after user logs in (login_verify):

require_once 'config.php';
error_reporting(E_ALL);

$email=trim(filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING));
$pword=trim(filter_input(INPUT_POST, 'pword', FILTER_SANITIZE_STRING));

//Connect to user database
$link = array("Database"=>dbName, "UID"=>userName, "PWD"=>userPassword, "MultipleActiveResultSets"=>true);      

//Check for connection error
sqlsrv_configure('WarningsReturnAsErrors', 0);

$link = sqlsrv_connect(serverName, $link);
if($link === false){
    echo "Connection Failed.<br>";
    die( print_r( sqlsrv_errors(), true));
}
else{
    sleep(0.2);
    $LoginFetchSql= "SELECT Email,Password FROM Card_score_storage.dbo.customer_cards WHERE Email = '$email'";
    $stmt_l=sqlsrv_query($link,$LoginFetchSql);    
    $getuser = sqlsrv_fetch_array( $stmt_l, SQLSRV_FETCH_ASSOC);

    if ($getuser["Email"] ==NULL) {
        echo '<p style="text-align:center">You did not login successfully.</p>';
        session_destroy();
    }
    else{
        echo $getuser["Password"],"<br>";
        $verify=password_verify($pword,$getuser["Password"]);
        if($verify){
            echo"Good password.";   
        }
        else{
            echo"Bad Password.";
        }
    }

}

The DB column storing hashed passwords is a NCHAR of size 255. Replacing the filtered/trimmed input with direct POST values, as in $_POST["pword"] provides the same result.

**Using an email of "test@test.com" and a password of "test":** Array ( [Email] => test@test.com [Password] => $2y$10$f2cLGYqlLQf6gniX7JyhvOaSIQANy8qIkmLcly/0wBxdcYFLTxs8m ) — cavanaugh, Feb 17 '17 at 06:08
are you sure about `$pword` value that you are passing same as you stored in DB ? — Niklesh Raut, Feb 17 '17 at 06:17
You are checking right : check this - https://eval.in/739183 — Niklesh Raut, Feb 17 '17 at 06:18
I know if you put password `test` directly it will work : https://eval.in/739202, I think you have problem here `$verify=password_verify($pword,$getuser["Password"]);` — Niklesh Raut, Feb 17 '17 at 06:32

score 0 · Accepted Answer · edited May 23 '17 at 12:34

0

I think your problem occurs when writing/retrieving from the database. I recommend var_dumping the passwords on register and when you're retrieving it and comparing those to each other.

EDIT: Changing nchar to varchar should fix it. It's because NCHAR can store unicode data (which perhaps caused the verify to return false) and has a fixed length. VARCHAR cannot store unicode data and has a variable length.

For reference check out this Stackoverflow question for more information: What is the difference between char, nchar, varchar, and nvarchar in SQL Server?

edited May 23 '17 at 12:34

Community

1
1

answered Feb 17 '17 at 06:18

Melvin Koopmans

2,994
2
25
33

A fresh test shows that the initial password hash, the value stored in the database, and the retrieved value are all identical. At what points could hypothetical writing/retrieval problems occur? – cavanaugh Feb 17 '17 at 06:33
Can you try using VARCHAR instead of NCHAR? – Melvin Koopmans Feb 17 '17 at 06:34
Color me amazed, that fixed it. Could you hazard a guess at what the problem was? – cavanaugh Feb 17 '17 at 06:37
I answered your question in my edit. Did you read it already? :) – Melvin Koopmans Feb 17 '17 at 14:12
Yes, appreciated. Hadn't considered considered database formatting as the possible root of the problem. – cavanaugh Feb 17 '17 at 19:50

PHP password_verify() not validating passwords

1 Answers1