0

So this is how I encrypt my password.

$password_encrypted = password_hash($password, PASSWORD_DEFAULT);

And this is how I get the value and check it:

<?php
    include("config.php");
    session_start();

    if($_SERVER["REQUEST_METHOD"] == "POST") {
        // username and password sent from form 

        $myusername = mysqli_real_escape_string($db,$_POST['uname']);
        $mypassword = mysqli_real_escape_string($db,$_POST['psw']); 

        $result = mysqli_query(
            $db,
            "SELECT password FROM interna_dostop WHERE up_name = '$myusername'");

        $row = mysqli_fetch_array($result);
        $hash = $row['password'];
        echo $hash;
        echo $mypassword;
        echo $myusername;

        if (password_verify('$mypassword','$hash')) {
            header('Location: another.php'); exit;
        } else {
            echo 'Invalid password.';
        }
    }
?>

Now here is the funny part. This returns false. But if I enter in password_verify ('mypass', 'encrypted_pass') I get true?

Any ideas?

Donald Duck
  • 8,409
  • 22
  • 75
  • 99
  • 1
    You *hash* passwords, not *encrypt*. – Script47 Sep 11 '17 at 16:53
  • ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Sep 11 '17 at 16:54
  • 3
    password_verify('$mypassword','$hash') replace it with password_verify($mypassword,$hash). Single quote is not needed here. – Lovepreet Singh Sep 11 '17 at 16:54
  • What size is the column where you're storing the hash? Can you share the code where you store the passwords? – Jay Blanchard Sep 11 '17 at 16:55

2 Answers2

0

You're passing $mypassword and $hash in with single quotes to password_verify(). No need for the single quotes.

password_verify($mypassword,$hash)
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Spartacus
  • 1,468
  • 2
  • 15
  • 29
  • You in-fact can't use single quotes because of string interpolation in PHP. `echo '$mypassword';` resolves to `$mypassword` – Tyler Christian Sep 11 '17 at 16:57
  • Not within the function, though. It will evaluate `'$mypassword'` as a literal string, which is (most likely) not the correct password, nor would the string literal `'$hash'` be the correct hash. This function evaluates to false. – Spartacus Sep 11 '17 at 17:00
0

Variables inside password_verify is not interpreted as they are within single quotes. You need to remove the single quotes.

if (password_verify($mypassword, $hash)) {

Pubudu Jayawardana
  • 2,250
  • 1
  • 13
  • 18