Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent behavior in password_verify #82

Open
bonarae opened this issue Jul 27, 2015 · 4 comments
Open

Inconsistent behavior in password_verify #82

bonarae opened this issue Jul 27, 2015 · 4 comments

Comments

@bonarae
Copy link

bonarae commented Jul 27, 2015

I use the latest version of PHP 5.4 and I am currently developing a system that uses the password_compat library.

Since I develop in a localhost environment, I have noticed inconsistency in the password_verify function whenever I use it in my function each time the server is restarted (i.e. by shutting down my servers and starting them again next time) and I try to use the stored password stored in my MySQL DB.

This library has been a life-saver for me but this issue has been bothering me for quite some time.
@lode
Copy link

lode commented Jul 27, 2015

Can you post your code? Without it is hard to determine what is going on, as I (and I gues lots of others), don't experience this problem.

@bonarae
Copy link
Author

bonarae commented Jul 27, 2015

In one of my PHP files (processSignup.php) that involves storing the hashed password:

$password = $_POST['password'];

$password = $mysqli->real_escape_string($password);

$securePassword = password_hash($password, PASSWORD_BCRYPT);

then the $securePassword variable is stored into a MySQL database with the following parameters in my prepared statement:

$statement = $mysqli->prepare("INSERT INTO users SET `username` = ?, `password` = ?, `email_address` = ?, `signup_ts` = ?, `isadmin` = ?");

$statement->bind_param('sssdd',$username, $securePassword, $email, time(), $defaultAdmin);

For the verification of password (loginProcess.php), which involves retrieving the hashed password and then verifying it with the password inputted for the specified user:

$password = $_POST['password'];

$password = $mysqli->real_escape_string($password);

$statement = $mysqli->prepare("SELECT userid, username, password, email_address, isadmin, isbanned FROM users WHERE `username`=?");
...
$statement->bind_result($a, $b, $c, $d, $e, $f);
  while ($statement->fetch()) {
    $user[] = ['userid' => $a, 'username' => $b, 'password' => $c, 'email_address' => $d, 'isadmin' => $e, 'isbanned' => $f];
  }

$verifiedPassword = password_verify($password, $user['password']);

However, whenever I restart my PHP server, $verifiedPassword always returns false, no matter when the password was hashed. The $user array returns fine whenever I debug it through print($user);

Also, in my MySQL table, password is a VARCHAR with 255 character length.

@miquelfire
Copy link 

$password = $mysqli->real_escape_string($password);

What's with that line? It might be the cause of your issues.

@ircmaxell
Copy link
Owner

Also, $user is a 2-dimensional array, yet you're accessing it as a single-dimensional array. It should be something like $user[0]['password'] in the last line (assuming that you're correctly checking for errors and no-returns).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@miquelfire @lode @ircmaxell @bonarae