I'm writing a Password class and I'm using password_hash with PASSWORD_DEFAULT to create the hash.
The documentation says that password_hash could also return false if the hashing fails. In that case I'm throwing an exception and I would like to test this case carefully.
Do you have an example of a string $password such that password_hash($spassword, PASSWORD_DEFAULT) === false?
This has nothing to do with password_verify returning false when it doesn't match the hash.
Even it's quite old, but I had the very same question and dove a little depeer into. So I share my sparse results here:
password_hash return null". That's the case when it can't handle stuff in the $options-parameter (like ("cost" => -1) or whatever. But it's about null, not false.false neither with for PASSWORD_DEFAULT, not with PASSWORD_BCRYPT in 5.5, 5.6 and 7.4.password-hash-function) may return false:
false-cases that are hard to recapitulate (like, when this happens). But even the PHP developers themselves do not test for those, so I get the impression they are only happening in very specialized circumstances, when the underlying c-libraries for encryption fail and are not triggerable with a special password. false-cases, when deep down in the crypt-libraries null pointers occur for example. I am not enough of a c-programmer to tell if this is likely or even possible. But there are still no tests for false.false-case left, although still stated in the docs. password_hash throws exceptions in every case of error as you would expect.Conclusion:
I think it's best to catch the false case (and thus the null-case as well, although it can not happen if no $options provided), may it be as unlikely as it is. This is maybe the most crucial part of your application! Especially when using PASSWORD_DEFAULT, since it may change over time and therefore it's behavior, or older versions of PHP are allowed for your application. I would throw a fatal error here or even die out, since as far I can see, the false-case can only happen due to serious misconfiguration of the server. Therefore it can not be tested in unit-tests.
$hash = password_hash($password, PASSWORD_DEFAULT);
if (!$hash) {
trigger_error("Fatal error when encrypting the password", E_USER_ERROR);
}
password_verifythat returnsfalse, notpassword_hashpassword_hashcould fail would be if your server is not configured properly.falseseems like an overly trivial unit test. If you really want to do it though the neatest thing I can suggest is wrappingpassword_hashin a function that can be made to return false during a test.