password_verify not working despite trying all solutions bycrypt()

Question

I have simple login system for which i am using bycrypt for security now the logic is simple i have echoed every variable everything looks good my column db is also varchar(255) so i dont have any limitation issue,moreover i tried many other solutions but in vain,here's my code

The original username stored in db is admin and the password is admin123 i ran password_hash('admin123', PASSWORD_BCRYPT) function to generate a password i copy and pasted that in the database!

function validate($data){
        $this->db->select("username,password");
        $this->db->from('admin');
        $query = $this->db->get();
        $res= $query->result();
        $db_username= $res[0]->username;
        $db_password= $res[0]->password;

        $user_username= $data['login_username'];
        $user_password= $data['login_password'];

        $user_password=password_hash($user_password, PASSWORD_BCRYPT);

        if($db_username==$user_username){
              //returns true
                if (password_verify($db_password, $user_password)) {
                        echo "1";//doesnot execute
                }
        }
        else
        {
            echo "false";
        }    
}

any recommendations?

Answer 1

password_verify() takes the plaintext password as its first argument -- not a hash of the password!

Remove the line containing the call to password_hash(). And, as cristianorbs mentioned, the hash from the database should be the second argument.

(You may also want to pass the username as a parameter to the query -- otherwise, you'll only be able to have one admin user.)

Answer 2

Are you sure the parameters are being passed in the correct order to password_verify? The description of the method in the docs says it is inverted:

boolean password_verify ( string $password , string $hash )

Since your hash is coming from the db, you probably should be passing it like this:

password_verify($user_password, $db_password)