PHP password verify is not functioning properly in MySQLi

Question

I am able to hash and verify a password like this

<?php
    $password ="passss.com";
    $hash = password_hash($password, PASSWORD_DEFAULT);
    if (password_verify('passss.com', $hash)) {
         echo 'Password is valid!';
    } else {
      echo 'Invalid password.';
    }
?>

But when I tried to do same thing in the querying of data from MySQL I am always getting Invalid password

I simply created the $hash in a PHP file and inserted it into MySQL table manually.

if (!isset($_POST['username'], $_POST['password'])) {
    die('Please fill both the username and password field!');
}
if ($stmt = $con->prepare('SELECT id, userpassword FROM users WHERE useremail = ?')) {
    $stmt->bind_param('s', $_POST['username']);
    $stmt->execute();
    $stmt->store_result();
    if ($stmt->num_rows > 0) {
        $stmt->bind_result($id, $userpassword);
        $stmt->fetch();
        if (password_verify($_POST['password'], $userpassword)) {
            $_SESSION['loggedin'] = true;
            echo "Password is valid";
        } else {
            echo "Invalid password.";
        }
    } else {
        echo 'Incorrect username!';
    }
}

var_dump the hashed password, what does it show? Plus, check the password column's length; what is it? — Funk Forty Niner, Oct 08 '19 at 22:35
The size is `varchar(255)` but I am able to insert the hashed value into the table properly — Mona Coder, Oct 08 '19 at 22:37
So why are you checking for the password verification with a POST array if you entered/saved it manually? — Funk Forty Niner, Oct 08 '19 at 22:41
I want to assure you guys that Password is in the database but when I want to check login trough MySQLi it is not verifying — Mona Coder, Oct 08 '19 at 22:44
What I forgot to also add was; are you entering the hash in the form or the plain text you posted as a variable? Your question is starting to be unclear (for me) and knowing details. — Funk Forty Niner, Oct 08 '19 at 22:45
No I entered the hashed value like `$2y$10$4kXej/WaHMFZf37Ru5Ed5eheUaKRRvfqa6jE18XcSP1lH13unSS2y` into the cell — Mona Coder, Oct 08 '19 at 22:47
just a quick question: you use `bind_param('s', $_POST['username']);` and `useremail = ?` in the `prepare`, that's a bit confusing — jibsteroos, Oct 08 '19 at 22:52
Right. I second what @jibsteroos mentions above. Plus, I asked about the POST array's value and origin earlier; that wasn't answered nor was the question updated to contain the form. This might just be a typographical error made somewhere. — Funk Forty Niner, Oct 08 '19 at 22:58
Please provide a dump of `$_POST['password']` & `$userpassword`. The hashed value you gave matches the password for me, but we don't understand where did you get that hash from, or what is in the post. — Dharman, Oct 08 '19 at 23:05

score -2 · Answer 1 · answered Oct 08 '19 at 22:47

-2

Are you sure that you properly hash the password using php builting functions. something like

$password=$_POST['password'];
$options = array("cost"=>4);
$hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);

// here pass $hashPassword and insert into database

I have already answered this question in the link below where you can learn to register, verify password hash and then login

What are the best practices for password submission?

answered Oct 08 '19 at 22:47

Nancy Moore

2,322
2
21
38

Thanks for reply Nancy, but as I said I hashed the password by this way `password_hash($password, PASSWORD_DEFAULT);` – Mona Coder Oct 08 '19 at 22:48

PHP password verify is not functioning properly in MySQLi

1 Answers1