{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《php password_verify() hash and pass won't matc》','https://www.manongdao.com/q-83349.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I store my passwords in my database hashed with password_hash(), and I am trying to verify the passwords on login with password_verify(). For some reason password_verify() keeps returning false.
I read the documentation on this function and it said to make sure that the hash used in the function is between single quotes ' ' otherwise it will read the hash like it is three variables because of the $'s, so i tried writing $valid like this '$valid'. But that didn't work.
When I echo $valid the output is $2y$10$zzZCN7UlukvY2skb3ELVp.4y3Oc7NJTEsFyqdstqYxT
When I echo $check the output is 123, which is the password used to create the account.
This is the part of my login.php, and this is where I feel the problem is.
$emailLogin = mysqli_real_escape_string($con, $_POST['emailLogin']);
$passLogin = mysqli_real_escape_string($con, $_POST['passLogin']);
$query = "SELECT `pass` FROM `user` WHERE `email`='$emailLogin'";
$result = mysqli_query($con, $query);
$row = mysqli_fetch_array($result);
$pass = $row['pass'];
$key = VUP($passLogin, $pass);
This is part of my verify.php
function VUP($check, $valid){
if (password_verify($check, $valid)) {
$key = 1;
} else {
echo 'Invalid password.';
$key = 0;
die();
}
return $key;
}
Also part of verify.php
function SHP($password){
$hash = password_hash('$password', PASSWORD_BCRYPT);
return $hash;
}
Any advice would be very helpful.
$2y$10$zzZCN7UlukvY2skb3ELVp.4y3Oc7NJTEsFyqdstqYxTthe hash is only 50 in length and is invalid/too short and as I said, MySQL will fail silently; error reporting/checking would not have helped here.The password's column length should be 60 (255 is suggested), so it wasn't stored correctly originally.
You will need to clear your password column/or table, increase your column's length, and start over again.
Reference:
You can also modify your query to read as:
Edit:
Adding from a comment I left to the OP:
Your verify function needs to have a connection made to your database, that is what I feel is happening here (variable scope). So you'll need to either use
global $con;or pass the connection (variable) to your function (which is better in most cases).I don't know if you're doing an "include" for the function, and if so, then that's what the other problem is.
I.e.:
function VUP($con, $check, $valid){orfunction VUP($check, $valid){ global $con;- Try both. Use$result = mysqli_query($con, $query) or die(mysqli_error($con));instead of the one you have now.