1

I hashed my password using password_hash(), and verify using password_verify();

When i write the hash directly in variable the value be True 

$hash = '$2y$10$lKwHxxc1YJI01ftNe33pcOvddAVrLd0GHwb3Ya3eqQJ2HxycpHjpO';

But When i call the value from MySQL the value be false when i put it in this function , i make echo for the value and the value been true , but i don't know why being false when i put it in password_verify();

I look for all previous questions about this problem but i didn't found any answer, this is my code

if(isset($_POST['submit'])=="Log In") {
    $password = 'aliali12';
    $sql = mysqli_query($con, "SELECT * FROM users WHERE user_id = 1");
    $hashed_pass = mysqli_fetch_assoc($sql);
    if (password_verify("$password",$hashed_pass['user_pass'])){
        echo "Correct Password";
    }  else {
        echo 'There are some wrong';
    }
}

Edit:

Here is the code that was used to hash the password with:

$password = mysqli_real_escape_string($con, $_POST['changePassword']); 
$hash = password_hash("$password", PASSWORD_BCRYPT)."\n";
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ahmed
  • 35
  • 1
  • 7
  • remove the `""` around password variable – Rotimi Apr 25 '17 at 14:10
  • the password is correct i have problem in hash variable – Ahmed Apr 25 '17 at 14:13
  • 1
    What is the content of `$hashed_pass['user_pass']`? How did you hash it to begin with? Make sure the length of that column is sufficient (at least 60 chars), otherwise it might be silently failing you due to turnication. – Qirel Apr 25 '17 at 14:14
  • $password = mysqli_real_escape_string($con, $_POST['changePassword']); $hash = password_hash("$password", PASSWORD_BCRYPT)."\n"; – Ahmed Apr 25 '17 at 14:16
  • 3
    You should never use `mysqli_real_escape_string()` on passwords (after hashing, they are safe to store without it, as there are no singlequotes in a hash), and that `\n` might also be the issue here. – Qirel Apr 25 '17 at 14:16
  • 1
    Don't escape your password before you hash it. It shouldn't matter with your example password, but it will lead to problems with passwords containing slashes for example. – jeroen Apr 25 '17 at 14:17
  • @Qirel is right - don't modify the data before saving it to the database. If you're worried about strings, then use prepared statements (you should do this anyways), so that the data inserted is consistent with how its generated. – Rob W Apr 25 '17 at 14:19
  • All the code you've shared is wrapped in this strange conditional: `isset($_POST['submit'])=="Log In"`... – Álvaro González Apr 25 '17 at 14:20
  • One of your two variables (at least...) is not what you think it is. You should `var_dump()` both `$password` and `$hashed_pass['user_pass']`. – jeroen Apr 25 '17 at 14:20
  • `if(isset($_POST['submit'])=="Log In")` that won't work. – Funk Forty Niner Apr 25 '17 at 14:22
  • Thaaaaaanks all it's work now when i remover mysqli_real_escape_string() – Ahmed Apr 25 '17 at 14:23
  • `$hash = trim($hash);` would have gotten rid of the (invisible) trailing linebreak and you wouldn't have needed to change anything, except added that line after the first two that you hashed the password with, yet with the exception of NOT escaping the password. `password_verify()` takes care of security. – Funk Forty Niner Apr 25 '17 at 14:41

1 Answers1

3

There seems to be two issues here. From your comment we found that...

  1. You're using mysqli_real_escape_string() on the password before hashing it. You should never modify passwords before inserting them, keep it clean. This function could possibly change passwords, if they contain for example single-quotes.
  2. You have \n concated to the hash before inserting it, while comparing, it does not have that. This needs to be removed when hashing the password when this data is being inserted.

These needs to be corrected (the real_escape() shouldn't be on passwords, and the newline removed), and the password inserted again after these corrections has been made.

In additon to this, 

if(isset($_POST['submit'])=="Log In") {

isn't what you think it is. It will technically work, as it will compare a boolean to true (so you get true == true if its set, false == true otherwise). It should simply be 

if (isset($_POST['submit'])) {

See Cleansing User Passwords

Community
  • 1
  • 1
Qirel
  • 25,449
  • 7
  • 45
  • 62
  • 2
    That's because they used the example in http://php.net/manual/en/function.password-hash.php `echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";` - which way too many get caught in that trap. PHP.net should really update that page in regards to inserting into a db. At best; `trim()` would work here for that. – Funk Forty Niner Apr 25 '17 at 14:28
  • Then escaping their password where having something like `123'\abc` would be a perfectly valid password, but silently failing later on. That'll be interpreted/changed as `123\'\abc`. – Funk Forty Niner Apr 25 '17 at 14:31
  • @Fred *Woah*! I've actually never noticed that in the example. That really shouldn't be in that example, indeed! – Qirel Apr 25 '17 at 14:33
  • @Qirel I know. Someone I know sent something to the staff at PHP.net about it, but it seems to either have fallen onto deaf ears, or they simply want people to figure it out by themselves. If the latter, I think that's just plain ignorance on their part, should that be the case. Maybe if we sent them more messages about it, that they'll modify the manual in regards to this. – Funk Forty Niner Apr 25 '17 at 14:34
  • [*An added note...*](http://stackoverflow.com/questions/43612975/hash-variable-not-work-in-password-verify-php#comment74276526_43612975) – Funk Forty Niner Apr 25 '17 at 14:44