My DB password and user filled-in password, do not match

Question

I've a problem with my php login file. I ask the password from my db by checking the email. When I obtain this password I check it with the password the user filled in.

In the password_verify($Passwd, $row['Passwd']) the result will always return 0 but the result should be return 1 (password matches).

Why do my passwords not match with each other?

Login code:

<?php
if(isset($_POST['submit'])){

    include_once '../includes/connection.php';

    $Email = $_POST['email'];
    $Passwd = $_POST['passwd'];

    //Create Template
    $sql = "SELECT Passwd FROM user WHERE Email = ?";

    //Create Prepared Statement
    $stmt = mysqli_stmt_init($conn);

    //Prepare Prepared Statement
    if(!mysqli_stmt_prepare($stmt, $sql)){

        echo "SQL Statement Failed";

    } else {

        mysqli_stmt_bind_param($stmt, "s", $Email);

        mysqli_stmt_execute($stmt);

        $res = mysqli_stmt_get_result($stmt);
        
        while ($row = mysqli_fetch_assoc($res)){
            
            echo $Passwd . "<br>";
            echo $row['Passwd'];

            if(password_verify($Passwd, $row['Passwd'])){
                echo "1";
            } else {
                echo "0";
            }
        }

    }

} else {

    header("Location: ../index.php?login=error");
}
?>

Registration code:

<?php

if(isset($_POST['submit'])){

    include_once '../includes/connection.php';

    $Username = $_POST['username'];
    $Email = $_POST['email'];
    $Passwd = $_POST['pwd'];

    //Create Template
    $sql = "INSERT INTO user (Username, Email, Passwd)
        VALUES (?, ?, ?);";

    //Create Prepared Statement
    $stmt = mysqli_stmt_init($conn);

    //Prepare Prepared Statement
    if (!mysqli_stmt_prepare($stmt, $sql)) {

        echo "SQL Statement Failed";

    } else {

        $hashed_passwd = password_hash($Passwd, PASSWORD_DEFAULT);
        
        //Replace '?' by the acctual data
        mysqli_stmt_bind_param($stmt, "sss", $Username, $Email, $hashed_passwd);

        //Run parameters inside database
        mysqli_stmt_execute($stmt);
    }


    header("Location: ../index.php?signup=succes");

} else {

    header("Location: ./index.php?sinup=error");

}

?>

Passwd is a varchar(50) column in the database.

The code you've shown looks ok. But since we can't see what email and password you sent to the server , or what the database row containing the hashed password looks like, or how exactly you saved the password to begin with, it's hard to be sure precisely what might be going wrong. — ADyson, Jul 06 '20 at 12:15
When the user creates an account, the password is hashed into the database with `password_hash`. In my code above $row['Passwd'] returns the hashed password if i echo it and if i echo $Passwd it returns the accutal password the user filled in in the form. So $row['Passwd'] is hashed from the db and $Passd is what the user filled in in the form — LightFelcore, Jul 06 '20 at 12:18
ok. Maybe something went wrong when the password was first saved. Can you show the all the relevant code for that? — ADyson, Jul 06 '20 at 12:19
Where can i post my other code? Because on stackoverflow there is a time limit — LightFelcore, Jul 06 '20 at 12:21
time limit? What do you mean? There is no time limit. You can edit your question whenever you like, as many times as you like. — ADyson, Jul 06 '20 at 12:21
yes that's right. But please don't remove the login code. We need both parts, showing at the same time! — ADyson, Jul 06 '20 at 12:24
Anyway, next question, how big is your password column in your database? I mean, how many characters does it allow? — ADyson, Jul 06 '20 at 12:25
Ok. Did you read the bit in https://www.php.net/manual/en/function.password-hash.php where it says `it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)` ? — ADyson, Jul 06 '20 at 12:26
Okay so i changed the characters from 50 to 255 characters in the password column but the password verify still returns 0 and not 1 — LightFelcore, Jul 06 '20 at 12:29
did you re-create the password? It won't magically change a password that was previously truncated. You'll need to register a new user and try again with that. — ADyson, Jul 06 '20 at 12:30
Great. I wrote it up as an answer below - please mark as "accepted" and/or upvote if it's helpful. Thanks :-) — ADyson, Jul 06 '20 at 12:36

score 2 · Accepted Answer · answered Jul 06 '20 at 12:36

The password_hash manual says:

it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)

So you need to specify a minimum size of 60 characters for the password column in your database - but a larger size e.g. 255 is recommended in case the default hashing algorithm changes in future.

You'll also need to re-generate any existing passwords stored in the 50-character field, because they will have been truncated when they were saved, and the extra information has been lost, meaning those old passwords can never be verified.

My DB password and user filled-in password, do not match

1 Answers1