17

I am trying out a new function from PHP 5.5 called password_hash().

No matter what i do the $hash and the $password wont match.

$password = "test";

$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";



if (password_verify($password, $hash)) {
    echo "Success";
}
else {
    echo "Error";
}
Improve this question
14
  • Are you receiving any error messages, notices or warnings? What is the output of the variables if you echo them directly? Commented Nov 8, 2013 at 9:39
  • password_verify() returns 1 Commented Nov 8, 2013 at 9:40
  • Maybe your $hash variable is on another file. Commented Nov 8, 2013 at 9:42
  • The hash is saved in a db. I do have a html form where i try to login just to emulate a simple login page. Commented Nov 8, 2013 at 9:44
  • Based on what you said, thats a problem with your saving/retrieving code (to/from db). Please post that code too... As it currently stands, your code is perfectly valid. Commented Nov 8, 2013 at 9:47

3 Answers 3

Reset to default
52

The problem with your code is that you are using the double quotation marks " instead of the single quotation marks ' when dealing with your hash.

When assigning:

$hash = "$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e";

It's making php think you have a variable called $2y and another one called $10 and finally a third one called $fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e. Which obviously isn't the case.

I noticed when turning on error reporting that the error:

Notice: Undefined variable: fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e

Was being thrown by PHP.

Replace all your double quote marks with single quote marks to fix.

E.g

$hash = '$2y$10$fXJEsC0zWAR2tDrmlJgSaecbKyiEOK9GDCRKDReYM8gH2bG2mbO4e';

Treats the whole hash as a literal string instead of a string with embedded variables.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

hehe... i love this.. i knew it.. man.. you saved my head and i love how things can be this ironic sometimes. Thanks a lot, and bows from me.. i dident think that way at all.. :)
Just adding a problem that I had: when I was generating the password hash on the HTML I always copied with a space on the end, so it never worked.
14

I had a similar problem with password_verify().

The mistake in my case, it was that I have declared my password field in the database as varchar(30), but the hash is equal or longer to 60 characters..

Improve this answer

4 Comments

i read somewhere that they recommend the length of the database field to be 255 characters for future proofing.
@docesam I read somewhere the database field for passwords should be TEXT for future proofing.
Thank you! I read the accepted answer, which was not the one for my case. After reading your answer, I immediately got it! Thanks again!
I did exactly the same :)
10

Works fine for me.

<?php

$hash=password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>

OUTPUT:

Password is valid!

Improve this answer

3 Comments

Try to save the password and then verify it. What you just did works, but thats not something that can be used. Its just an example. The passwords needs to be stored in a database and then verified.
The way how you are retrieving the password from db and comparing matters.. You should post that code.
Please see my question again. I made another example to simplify the matter.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.