-
Sep 20th, 2017, 08:22 PM
#1
[RESOLVED] password_verify Always Returning True or False
I am attempting to create a PHP login page and I'm running into an issue to where password_verify is always returning True if I assign the method to a variable or always returning Flase if I directly check the method in a conditional statement, regardless of if the actual password is correct.
For some background, this is the code that I'm using to insert a user into the MySql datatable:
PHP Code:
<?php
// Database variables
$serverName = "-removed-";
$dbUsername = "-removed-";
$dbPassword = "-removed-";
$dbName = "-removed-";
// Login <form> variables
$inputEmail = $_POST['email'];
$inputPassword = $_POST['password'];
// Create connection
$dsn = 'mysql:dbname='.$dbName.';host='.$serverName.';charset=utf8mb4';
echo $dsn;
$db = new PDO($dsn, $dbUsername, $dbPassword);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
try {
// Insert a username and password, though the password is actually a hashed password
$stmt = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :hashedPass);");
// Parameterize the query and also encrypt $inputPassword
$stmt->bindValue(':email', $inputEmail, PDO::PARAM_STR);
$stmt->bindValue(':hashedPass', password_hash($inputPassword, PASSWORD_DEFAULT), PDO::PARAM_STR);
// Execute the query
$stmt->execute();
// Explicitly close the connection
$db = null;
} catch(PDOException $ex) {
// debug mode, simply echo the exception
echo json_encode($ex->getMessage());
}
?>
Then I attempt to login to the website using the following:
PHP Code:
<?php
// Check if the user is currently logged in
if (isset($_SESSION["id"])) {
// Return a JSON object to indicate the login status
echo '{"isset": true}';
} else {
// Database variables
$serverName = "-removed-";
$dbUsername = "-removed-";
$dbPassword = "-removed-";
$dbName = "-removed-";
// Login <form> variables
$inputEmail = $_POST['email'];
$inputPassword = $_POST['password'];
// Create connection
$dsn = 'mysql:dbname='.$dbName.';host='.$serverName.';charset=utf8mb4';
$db = new PDO($dsn, $dbUsername, $dbPassword);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
try {
// Select 1 row, but all columns from the [users] table by the username column
$stmt = $db->prepare("SELECT * FROM users WHERE email=:email LIMIT 1");
// Parameterize the query
$stmt->bindValue(':email', $inputEmail, PDO::PARAM_STR);
// Execute the query and return the results into $row
$stmt->execute();
$row = $stmt->fetchAll(PDO::FETCH_ASSOC);
// Ensure that a row was returned
if (count($row) > 0) {
// Get just hashed password
$hashedPassword = $row[0]['password'];
// Confirm that the hashed password matches input as well
if(password_verify($inputPassword, $hashedPassword)) {
// Assign the session [id] to the username's id
$_SESSION["id"] = $row[0]['id'];
echo '{"valid": false, "email": true, "password": true, "inputPassword":'.$inputPassword.', "hashedPassword": '.json_encode($hashedPassword).'}';
} else {
// Return a JSON object to indicate the invalid login
echo '{"valid": false, "email": true, "password": false}';
}
} else {
// Return a JSON object to indicate the invalid login
echo '{"valid": false, "email": false, "password": null}';
}
// Explicitly close the connection
$db = null;
} catch(PDOException $ex) {
// debug mode, simply echo the exception
echo json_encode($ex->getMessage());
}
}
?>
And again, to elaborate on what my issue is: What is happening is if I use password_verify directly inside of the conditional if statement it will always return a False value regardless of if the $inputPassword is correct or not and if I assign the value from password_verify to a variable (as shown in an example below) and then the conditional if statemtn will always return a True value regardless of $inputPassword is correct or not.
PHP Code:
$verify = password_verify($inputPassword, $hashedPassword);
if(verify) {
...
I am so very confused as to why this is happening.
-
Sep 20th, 2017, 08:26 PM
#2
Re: password_verify Always Returning True or False
what does the password_verify function look like?
-tg
-
Sep 20th, 2017, 08:32 PM
#3
Re: password_verify Always Returning True or False
I'm a little confused as to what you're referring to, is it this:
The actual value of password_verify is always False if directly used in the conditonal if statement (as demonstrated in the second PHP code tag on line 40) and is always True if used as a variable (as demonstrated in the third PHP code tag).
-
Sep 20th, 2017, 09:57 PM
#4
Re: password_verify Always Returning True or False
I realized that the hash was being truncated when it was inserted into the database. At first I was storing the actual password instead of the hash, I had the maximum length set to 25, and since password_verify was returning the same first 25 letters, it was returning a True value.
What I did to correct the issue was change the MySql column from a VARCHAR(25) to BLOB.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|