user2101411 user2101411 - 1 year ago 72
PHP Question

password_verify is not returning true

I am using password_hash to encrypt a password for inserting into a database. It is working but when I use

to verify it is always returning false, even though the encrypted value is the same (checked the database's values)

Here is my code:

if ($_POST['submit']) {
$dbh = new PDO("mysql:dbname=pass;host=localhost", "root", "");

$select = $dbh->query("SELECT username, password FROM passwords WHERE username = " . $dbh->quote($_POST['username']));

$fetch = $select->fetch(PDO::FETCH_ASSOC);

if (password_verify($fetch['password'], password_hash($_POST['password'], PASSWORD_BCRYPT))) {
echo 'Welcome! ' . $fetch['username'] . " your password is " . $fetch['password'];
} else {
echo "no";

The encrypted password in the database is


Am I missing something? I've used different hashing functions in PHP (
), so I am kind of confused about why this is not working. The password inserted was encrypted in the database via
password_hash($password, PASSWORD_BCRYPT)

Any help would be appreciated.

Answer Source

You don't need to rehash the password when verifying.

password_verify($_POST['password'], $fetch['password']);

Plus you had them in the wrong order.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download