LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   PHP 5.5 Password Hashing not working (https://www.linuxquestions.org/questions/linux-software-2/php-5-5-password-hashing-not-working-4175562853/)

sraidr69 12-31-2015 11:17 PM
PHP 5.5 Password Hashing not working
 
I have followed this site to use a password hashing. Using simple test data - password = "mypw". I have saved the password hash as "$2y$10$PeQGxwKQVq70fwPtznH70.fJER/BVYB7u5xl0E" yet when I use
Code:
password_verify($password, $hash)
the stored hash and the login password never match. Does anyone have any ideas on this?
Here is the entire code...

Insert code...
Code:
$hash = password_hash($password, PASSWORD_DEFAULT);
    $str="Insert into users (username, password, fname, lname, email, regdate, book) Values (?, ?, ?, ?, ?, ?,'n')";
    $param = array($username, $hash, $fname, $lname, $email, $rdate);
    $stmt = $pdo->prepare($str);
    $rst = $stmt->execute($param);
Login Code...
Code:
$sql = "SELECT * FROM `users` WHERE `username` = '$username'";
    $result = $pdo->prepare($sql);
    $result->execute();
    $rst = $result->fetchObject();
    //echo $sql . "<br>";
   
    $dbhash = $rst-> password;
    echo "DB=" . $dbhash . "<br>";
    echo "PW=" . $password . "<br>";
    if (password_verify($password, $dbhash)) {
      echo "Success!";
    }
    else {
      echo "Invalid credentials";
    }

j-ray 01-01-2016 04:47 AM
$dbhash = $rst-> password;

I recommend to remove the space before passsword. What do the echo statements give out?

norobro 01-01-2016 10:33 AM
Two thoughts:
  1. Is your database column wide enough? From here:
    Quote:
    it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
  2. Assuming the login password is keyboard input, try calling trim() on it.

sraidr69 01-01-2016 02:42 PM
The password $hash in the db is good. It returns..."$2y$10$PeQGxwKQVq70fwPtznH70.fJER/BVYB7u5xl0E". Trim also did not help and I removed the " " before the password field.

norobro 01-01-2016 03:59 PM
Your code works for me on a two column database:
Code:
mysql> describe users;
+----------+--------------+------+-----+---------+-------+
| Field    | Type        | Null | Key | Default | Extra |
+----------+--------------+------+-----+---------+-------+
| username | varchar(20)  | NO  | PRI | NULL    |      |
| password | varchar(255) | YES  |    | NULL    |      |
+----------+--------------+------+-----+---------+-------+
2 rows in set (0.00 sec)
Code:
$ php -v
PHP 5.6.14 (cli) (built: Oct  9 2015 12:04:25) (DEBUG)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2015 Zend Technologies
Code:
<?php
    $pdo = new PDO('mysql:host=localhost;dbname=test;charset=utf8', 'user', 'passwd');
    $password="mypw";
    $username="anyone";

    $hash = password_hash($password, PASSWORD_DEFAULT);
    $str="Insert into users (username, password) Values (?, ?)";
    $param = array($username, $hash);
    $stmt = $pdo->prepare($str);
    $rst = $stmt->execute($param);

//  $password = "somepassword";  // uncomment to get invalid credentials

    $sql = "SELECT * FROM `users` WHERE `username` = '$username'";
    $result = $pdo->prepare($sql);
    $result->execute();
    $rst = $result->fetchObject();
    //echo $sql . "<br>";

    $dbhash = $rst-> password;
    echo "DB=" . $dbhash . "<br>";
    echo "PW=" . $password . "<br>";
    if (password_verify($password, $dbhash)) {
      echo "Success!";
    }
    else {
      echo "Invalid credentials";
    }
?>


All times are GMT -5. The time now is 06:19 AM.