PHP - password_verify issue

2019-02-17 12:01发布

问题:

I have been scratching my head on this for over 2 hours. I have researched articles on stackoverflow including:

  • Issue with Bcrypt not verifying correctly

  • php password_hash and password_verify issues no match

  • `password_verify` call returning false for correct password

And I havent been able to correct my issue. I would appreciate some guidance on how much of an idiot I am being:

Function to insert data into MySQL database:

function insertUser($userObj) {
    $query = $this->databaseConnection->getStntPrepare()->prepare(
            "INSERT INTO user(username, userpassword) VALUES (?,?);");
    $username = $userObj->getUsername();
    $password = password_hash('testing1234', PASSWORD_BCRYPT);

    $query->bind_param('ss', $username, $password);
}

Verification of user login by retrieving data from MySQL:

function findUser($userObj) {
    $query = $this->databaseConnection->getStntPrepare()->prepare(
            "SELECT userid, userpassword 
                FROM user 
                WHERE username=?");

    $pass = 'testing1234'
    $query->bind_param('s', $userObj->getUsername());
    $query->execute();
    $query->bind_result($userid, $hash);

    while ($query->fetch()) {

        if (password_verify($pass, $hash)) {
            echo 'Password is valid!';
        } else {
            echo 'Invalid password.';
        }
    }
}

When run I get 'Invalid password.'

When I do the below without inserting into database then retrieving:

$hash = password_hash('testing1234', PASSWORD_BCRYPT);
if (password_verify('testing1234', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

I get 'Password is valid!'

I believe my problem is something to do with single and double quotes and the interpretation of dollar sign ($) in the password field, as a variable instead of literal (as one of the articles suggests) when storing/retrieving from MySQL database - however I haven't had any luck in resolving. Below is the hash value of 'testing1234':

$2y$10$1/oQEuYX67n.U3usxH.7tenNq7hT2dKyBSIZsy5xR3W

回答1:

Problem was in the database - nothing to do with password_verify or password_hash. Datatype had a maximum amount of characters (only defined to 40 as I was made to by MySQL when creating tables). Moved to 60 and no more issues.