0

I didn't take asking this question lightly as I've seriously gone over 50 links throughout the entire night trying to get password_verify() to work.

1- The Hash Is 100% Correct.
2- The Plain Text Verison Is 100% Correct.
3- The Hash Length Is In Fact 60.
4- Tried Password_Default And Password_Bcrypt
5- It Does Successfully Pull The Password Out Of The Database.

BUT

if(password_verify($answer,$secAnswer)){ } IS ALWAYS false.

Here is my Code.

  function anti_injection_login($sql, $formUse = true){
$sql = preg_replace("/(from|select|insert|delete|where|drop table|show tables|,|'|#|\*|--|\\\\)/i","",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
if(!$formUse || !get_magic_quotes_gpc())
  $sql = addslashes($sql);
return $sql;
}


  $email = anti_injection_login($_POST['email']);
  $answer = anti_injection_login($_POST['answer']);
  $queryAccount = mysqli_query($conn, "SELECT * FROM Accounts where email= '$email'");
  $count = mysqli_num_rows($queryAccount);
  if($count == 1){
     $rows = mysqli_fetch_array($queryAccount);
     $secAnswer = $rows['secretkey'];

     if(password_verify($answer,$secAnswer)){
         echo "Successful";
     }else{
         echo "Try Again";
     }
  }

the anti_injection_login is just to stop people from injecting it. This is NOT the problem.
As no matter where I put an Echo with the $secAnswer and $answer it is always correct exactly as I would expect it to be.

Is there something I am missing guys? I am seriously stumped on this now.

(Yes this is the entire script). So I'm not leaving anything out. But as mentioned, it is successfully pulling the hash, (and is correct) according to the database version it's identical.

And the word I used for the hash is Identical (Tried both Upper case and Lowercase).

Improve this question
8
  • 3
    Please use prepared statements. You don't need to roll your own sanitation. Commented Sep 30, 2016 at 9:18
  • 1
    What does $rows['secretkey'] contains (provide example). And show how you generate secretkey hash. Also your anti_injection_login will ruin my logins if password is something like aliform_at_insert Commented Sep 30, 2016 at 9:19
  • 2
    Sorry, anti_injection_login() is asking for your site to be hacked. Prepared statements is what you need. Commented Sep 30, 2016 at 9:21
  • 1
    You should not modify the password that gets sent in, any change to (or forgetting to use...) your anti_injection_login() function can break valid passwords. Just use a prepared statement instead. Commented Sep 30, 2016 at 9:23
  • Alright so it's seeming I just need to get rid of that function all together and use prepared statements? Sorry new to PHP.. Commented Sep 30, 2016 at 9:23

1 Answer 1

Reset to default
2

The PHP Manual gives a very clear example:

<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
?>

First of all, your password hash needs to be created by the password_hash() function when the user registers.

At login, you then pass the password from the form into password_verify() along with the stored hash from the database.

However, your code passes the form data through anti_injection_login() which is doing who-knows-what with any given input. You shouldn't need to sanitize the password if you're passing it straight into password_verify(). I highly recommend you use prepared statements to retrieve the hash from the database, and pass $_POST['answer'] straight into password_verify().

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.