0

I've started using the password_hash() for password hashing. The problem I'm having is that when I use the password_verify() to check if input value matches the hashed passwords stored in the database, every time it returns me false. 

  $password = "test";

  $query = "SELECT password FROM user WHERE password = :pass ";
  $statement = $connection->prepare($query);
  $statement->bindParam(":pass", $password);
  $statement->execute(); 

   if(password_verify($password, $row['password'])){
    echo "Password Valid";
   }

   else {
    echo "Invalid Password";
   }

However, if for e.g I copy a single hashed password value from the database and put it in the place of $row['password'] and when I test the code, it returns me true. 

   if(password_verify($password, '$2y$10$kc09i9YSP.ExmUquMqRnf......')){
    echo "Password Valid";
   }

Help please.

Improve this question
2
  • check below link stackoverflow.com/questions/19855715/… Thanks ! Commented May 30, 2015 at 6:44
  • 1
    SELECT password WHERE password = :password - really‽ Commented May 30, 2015 at 6:47

2 Answers 2

Reset to default
3

The first problem is that you're trying to use SQL to look for a hashed password. The standard procedure is to find the user with a given username, and fetch that user's password so you can validate.

Your other problem is that call $row['password'] but you haven't actually set it yet in your code. Fetch the row first, and then you can validate the password.

Something like this should work:

$username = "test";

$query = "SELECT password FROM user WHERE username = :username ";
$statement = $connection->prepare($query);
$statement->bindParam(":username", $username);
$statement->execute();
$row = $statement->fetch();

if(password_verify($password, $row['password'])){
    echo "Password Valid";
}
else {
    echo "Invalid Password";
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-2

Replace:

$statement->bindParam(":pass", $password);

With:

$statement->bindParam(":pass", password_hash($password, PASSWORD_DEFAULT));

Please use the answer from Joel Hinz

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.