Results 1 to 4 of 4

Thread: [RESOLVED] password_verify Always Returning True or False

  1. #1

    Thread Starter
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    11,715

    Resolved [RESOLVED] password_verify Always Returning True or False

    I am attempting to create a PHP login page and I'm running into an issue to where password_verify is always returning True if I assign the method to a variable or always returning Flase if I directly check the method in a conditional statement, regardless of if the actual password is correct.

    For some background, this is the code that I'm using to insert a user into the MySql datatable:
    PHP Code:
    <?php
      
    // Database variables
      
    $serverName "-removed-";
      
    $dbUsername "-removed-";
      
    $dbPassword "-removed-";
      
    $dbName "-removed-";

      
    // Login <form> variables
      
    $inputEmail $_POST['email'];
      
    $inputPassword $_POST['password'];

      
    // Create connection
      
    $dsn 'mysql:dbname='.$dbName.';host='.$serverName.';charset=utf8mb4';
      echo 
    $dsn;
      
    $db = new PDO($dsn$dbUsername$dbPassword);
      
    $db->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
      
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARESfalse);

      try {
        
    // Insert a username and password, though the password is actually a hashed password
        
    $stmt $db->prepare("INSERT INTO users(email, password) VALUES(:email, :hashedPass);");

        
    // Parameterize the query and also encrypt $inputPassword
        
    $stmt->bindValue(':email'$inputEmailPDO::PARAM_STR);
        
    $stmt->bindValue(':hashedPass'password_hash($inputPasswordPASSWORD_DEFAULT), PDO::PARAM_STR);

        
    // Execute the query
        
    $stmt->execute();

        
    // Explicitly close the connection
        
    $db null;
      } catch(
    PDOException $ex) {
        
    // debug mode, simply echo the exception
        
    echo json_encode($ex->getMessage());
      }
    ?>
    Then I attempt to login to the website using the following:
    PHP Code:
    <?php
    // Check if the user is currently logged in
    if (isset($_SESSION["id"])) {
      
    // Return a JSON object to indicate the login status
      
    echo '{"isset": true}';
    } else {
      
    // Database variables
      
    $serverName "-removed-";
      
    $dbUsername "-removed-";
      
    $dbPassword "-removed-";
      
    $dbName "-removed-";

      
    // Login <form> variables
      
    $inputEmail $_POST['email'];
      
    $inputPassword $_POST['password'];

      
    // Create connection
      
    $dsn 'mysql:dbname='.$dbName.';host='.$serverName.';charset=utf8mb4';
      
    $db = new PDO($dsn$dbUsername$dbPassword);
      
    $db->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
      
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARESfalse);

      try {
        
    // Select 1 row, but all columns from the [users] table by the username column
        
    $stmt $db->prepare("SELECT * FROM users WHERE email=:email LIMIT 1");

        
    // Parameterize the query
        
    $stmt->bindValue(':email'$inputEmailPDO::PARAM_STR);

        
    // Execute the query and return the results into $row
        
    $stmt->execute();
        
    $row $stmt->fetchAll(PDO::FETCH_ASSOC);

        
    // Ensure that a row was returned
        
    if (count($row) > 0) {
          
    // Get just hashed password
          
    $hashedPassword $row[0]['password'];

          
    // Confirm that the hashed password matches input as well
          
    if(password_verify($inputPassword$hashedPassword)) {
            
    // Assign the session [id] to the username's id
            
    $_SESSION["id"] = $row[0]['id'];
            echo 
    '{"valid": false, "email": true, "password": true, "inputPassword":'.$inputPassword.', "hashedPassword": '.json_encode($hashedPassword).'}';
          } else {
            
    // Return a JSON object to indicate the invalid login
            
    echo '{"valid": false, "email": true, "password": false}';
          }
        } else {
          
    // Return a JSON object to indicate the invalid login
          
    echo '{"valid": false, "email": false, "password": null}';
        }

        
    // Explicitly close the connection
        
    $db null;
      } catch(
    PDOException $ex) {
        
    // debug mode, simply echo the exception
        
    echo json_encode($ex->getMessage());
      }
    }
    ?>
    And again, to elaborate on what my issue is: What is happening is if I use password_verify directly inside of the conditional if statement it will always return a False value regardless of if the $inputPassword is correct or not and if I assign the value from password_verify to a variable (as shown in an example below) and then the conditional if statemtn will always return a True value regardless of $inputPassword is correct or not.
    PHP Code:
    $verify password_verify($inputPassword$hashedPassword);
    if(
    verify) {
      ... 
    I am so very confused as to why this is happening.
    "Code is like humor. When you have to explain it, it is bad." - Cory House
    VbLessons | Code Tags | Sword of Fury - Jameram

  2. #2
    Smooth Moperator techgnome's Avatar
    Join Date
    May 2002
    Posts
    34,532

    Re: password_verify Always Returning True or False

    what does the password_verify function look like?

    -tg
    * I don't respond to private (PM) requests for help. It's not conducive to the general learning of others.*
    * I also don't respond to friend requests. Save a few bits and don't bother. I'll just end up rejecting anyways.*
    * How to get EFFECTIVE help: The Hitchhiker's Guide to Getting Help at VBF - Removing eels from your hovercraft *
    * How to Use Parameters * Create Disconnected ADO Recordset Clones * Set your VB6 ActiveX Compatibility * Get rid of those pesky VB Line Numbers * I swear I saved my data, where'd it run off to??? *

  3. #3

    Thread Starter
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    11,715

    Re: password_verify Always Returning True or False

    I'm a little confused as to what you're referring to, is it this:

    The actual value of password_verify is always False if directly used in the conditonal if statement (as demonstrated in the second PHP code tag on line 40) and is always True if used as a variable (as demonstrated in the third PHP code tag).
    "Code is like humor. When you have to explain it, it is bad." - Cory House
    VbLessons | Code Tags | Sword of Fury - Jameram

  4. #4

    Thread Starter
    Super Moderator dday9's Avatar
    Join Date
    Mar 2011
    Location
    South Louisiana
    Posts
    11,715

    Re: password_verify Always Returning True or False

    I realized that the hash was being truncated when it was inserted into the database. At first I was storing the actual password instead of the hash, I had the maximum length set to 25, and since password_verify was returning the same first 25 letters, it was returning a True value.

    What I did to correct the issue was change the MySql column from a VARCHAR(25) to BLOB.
    "Code is like humor. When you have to explain it, it is bad." - Cory House
    VbLessons | Code Tags | Sword of Fury - Jameram

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width