PHP can not login with correct password using password_hash()/password_verify()

I checked various similar reports, but could not find a solution, so any help would be greatly appreciated.

I am trying to create a PHP signup/login form. Everything seems to be working properly, except for the password verification. Here is the part of the code where username/password are defined and requested from the database for verification:

    $username = $_POST['username'];
    $pwd = $_POST['pwd'];
....
....
....
    else{
            $sql = "SELECT * FROM users WHERE username=?;";
            $stmt = mysqli_stmt_init($conn);
            if(!mysqli_stmt_prepare($stmt, $sql)){
              echo "MySQL Error!";
              exit();
            }
             else{
               mysqli_stmt_bind_param($stmt, 's', $username);
               mysqli_stmt_execute($stmt);
               $result= mysqli_stmt_get_result($stmt);
               if ($row = mysqli_fetch_assoc($result)) {
                 $pwdCheck = password_verify($pwd, $row['password']);
                 if($pwdCheck == false){
                 header("Location: ../login.php?error=wrongpassword");
                 exit();
                }
                else if($pwdCheck == true){
                session_start();
                $_SESSION['userId'] = $row['id'];
                $_SESSION['username'] = $row['username'];
                header ("Location: ../login.php?login=success");
                exit();
               }

Here are some things to take into consideration:

  1. I set the passwords table in the database to LONGTEXT and varchar(250) - still no luck.

  2. Here is the output from var_dump($pwdCheck, $pwd, $row['password'])

    bool(false) string(8) "testtest" string(60) "$2y$10$nSMyRdh5RcjlKu.vaQMLHeRjmfYTqkjjdnM7HI4Di/294EBCpE1JG"

It returns bool(false), while "testtest" is the correct password and the string displayed by var_dump is the correct hash from the password database table. So I am really not sure what went wrong here.

Here is how the password is hashed(note that this is done in a separate PHP script, not sure if matters)

else{

$sql = "INSERT INTO users (username, mailuid, password, managername, teamname) VALUES (?,?,?,?,?)";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)){
echo "MySQL Error";
}
else{
$hashpwd = password_hash($password, PASSWORD_DEFAULT);
mysqli_stmt_bind_param($stmt, "sssss", $username, $mailuid, $hashpwd, $managername, $teamname);
mysqli_stmt_execute($stmt);
  header("Location: ../signup.php?signup=success");
exit();
}

Everything else works as expected. The username for example is fetched successfully from the DB(username table). It looks that the hashed pass is also fetched from the passwords DB table, but the verification still fails.



Read more here: https://stackoverflow.com/questions/64395140/php-can-not-login-with-correct-password-using-password-hash-password-verify

Content Attribution

This content was originally published by the_arsenal_bg at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: