I am using php password_hash http://php.net/manual/en/function.password-hash.php to create my passwords. And to password_verify http://php.net/manual/en/function.password-verify.php to check passwords.

Problem When I try to verify my password it allows username and password that do not exist to login, but blocks username and passwords that are correct?

For some reason it is back to front? Not sure why?

Question How can I make sure it is not validating incorrect username and password using php password_verfiy

Model Functions

public function login($username, $password) {
    $this->db->where('username', $username);
    $this->db->where('password', $this->validate_password($password));
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        return true;
    } else {
        return false;
    }
}

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return true;
    } else {
        return false;
    }
}

public function stored_hash() {
    $this->db->where('username', $this->input->post('username')); 
    $query = $this->db->get($this->db->dbprefix . 'user');

    if ($query->num_rows() > 0) {
        $row = $query->row();
        return $row->password;
    } else {
        return false;
    }
}

Controller Login

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

class Login extends CI_Controller {

public function __construct() {
    parent::__construct();
    $this->lang->load('common/login', 'english');
    $this->load->model('common/model_login');
    $this->load->library('form_validation');
}

public function index() {
    $data['title'] = $this->lang->line('heading_title');

    $this->form_validation->set_rules('username', 'Username', 'trim|required');
    $this->form_validation->set_rules('password', 'Password', 'required|callback_validate_user');

    if ($this->form_validation->run() == FALSE) {

        $data['template'] = 'common/login_view';
        $this->load->view('common/template_view', $data);

    } else {

        redirect('common/dashboard');
    }
}

public function validate_user() {
    $username = $this->input->post('username');
    $password = $this->input->post('password');

    $result = $this->model_login->login($username, $password);

    if ($result) {

        $data = array(
            'is_logged' => true,
            'username' => $this->input->post('username')
        );  

        $this->session->set_userdata($data);

    } else {

        $this->form_validation->set_message('validate_user', $this->lang->line('error_login'));
        return false;
    }
}

}

Problem is with your validate_password function because this function return either TRUE or FALSE. You need to return $password if your password match

public function validate_password($password) {
    if (password_verify($password, $this->stored_hash())) {
        return $password;// return password here
    } else {
        return false;
    }
}

Change your login function because you already match your password in validate_password() function

function login($username, $password) {

    if ($this->validate_password($password)) {
        $this->db->where('username', $username);
        $query = $this->db->get($this->db->dbprefix . 'user');

        if ($query->num_rows() > 0) {
            return true;
        } else {
            return false;
        }
    } else {
        return FALSE;
    }
}