Password_Verify problem with hashed password

Question

Hello I'm trying to implement a login system with Unity, however I seem to be having a problem with my PHP.

I think I have narrowed the problem down to the hash being retrieved from the database incorrectly. I suspect this is the problem because if I hardcode the correct hash into a variable and use password_verify() it works, however the same hash when retrieved from the database will not verify.

Thanks in advance for any help.

Here is my register.php script:

<?php

    $conn = mysqli_connect("localhost", "root", "root", "MultiplayerExperience");

    $username = $_POST["usernamePost"];
    $password = $_POST["passwordPost"];

    if(mysqli_connect_errno())
    {
        echo("Connection failed");
        exit();
    }

    $userCheckQuery = "SELECT username FROM players WHERE username = '".$username."';";
    $userCheck = mysqli_query($conn, $userCheckQuery);

    if(mysqli_num_rows($userCheck) > 0)
    {
        echo("User already exists");
        exit();
    }

    $hashedPassword = password_hash(trim($password), PASSWORD_BCRYPT);

    $userInsertionQuery = "INSERT INTO players (username, hash) VALUES ('".$username."', '".$hashedPassword."' );";
    $userInsertion = mysqli_query($conn, $userInsertionQuery) or die("User insertion failed");

    echo("RegistrationSuccess");

?>

Here is my login.php script
<?php

    $conn = mysqli_connect("localhost", "root", "root", "MultiplayerExperience");

    $username = $_POST['usernamePost'];
    $password = $_POST['passwordPost'];

    if(mysqli_connect_errno())
    {
        echo("Connection failed");
        exit();
    }

    $nameCheckQuery = "SELECT username FROM players WHERE username = '".$username."';";
    $nameCheck = mysqli_query($conn, $nameCheckQuery);

    if(mysqli_num_rows($nameCheck) != 1)
    {
        echo("User not found");
        exit();
    }

    $hashFetchQuery = "SELECT hash FROM players WHERE username = '".$username."';";
    $hashFetch = mysqli_query($conn, $hashFetchQuery);

    $correctHash = '$2y$10$qeInE4VYnGiHRiivh/5z8OpX65NrWPYA6/UZTH2HIEGPV6gr9rNZ2';  //Correct hash copied from database
    $incorrectHash = '$2y$10$qeInP4YYnGiHRiivh/5z8OpX63NrWPYO6/UZTH2HIEGPV6gr9rNZ2';    //Incorrect hash for testing

    if(password_verify(trim($password), trim($hashFetch)))
    {
        echo("LoginSuccess");
        exit();
    }

    echo("Incorrect password");


?>

I have searched google for a few days and every post about this matter will not resolve my issue.

`mysqli_query()` returns a result object, containing your hash, not the hash itself. — KIKO Software, May 12 '19 at 12:40
Even when I remove the trim it still doesn't verify correctly. — Kurtis, May 12 '19 at 12:41
Could you please explain how to go about retrieving the hash correctly? — Kurtis, May 12 '19 at 12:42
A nice tutorial can be found here: https://www.codewall.co.uk/php-mysqli-examples-the-ultimate-tutorial It also teaches you to 'prepare' your statements so your login page won't be susceptible to [SQL-injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — KIKO Software, May 12 '19 at 12:48

Password_Verify problem with hashed password

0 Answers0