user2101411 user2101411 - 15 days ago 9
PHP Question

password_verify is not returning true

I am using password_hash to encrypt a password for inserting into a database. It is working but when I use

password_verify
to verify it is always returning false, even though the encrypted value is the same (checked the database's values)

Here is my code:

if ($_POST['submit']) {
$dbh = new PDO("mysql:dbname=pass;host=localhost", "root", "");

$select = $dbh->query("SELECT username, password FROM passwords WHERE username = " . $dbh->quote($_POST['username']));

$fetch = $select->fetch(PDO::FETCH_ASSOC);

if (password_verify($fetch['password'], password_hash($_POST['password'], PASSWORD_BCRYPT))) {
echo 'Welcome! ' . $fetch['username'] . " your password is " . $fetch['password'];
} else {
echo "no";
}
}


The encrypted password in the database is


$2y$10$dMXgvPo5j9.8gaSqgtxTSevlFCsJwdSn8vdLbqFirUQcFvzfk0or2


Am I missing something? I've used different hashing functions in PHP (
hash()
), so I am kind of confused about why this is not working. The password inserted was encrypted in the database via
password_hash($password, PASSWORD_BCRYPT)


Any help would be appreciated.

Answer

You don't need to rehash the password when verifying.

password_verify($_POST['password'], $fetch['password']);

Plus you had them in the wrong order.