I didn't take asking this question lightly as I've seriously gone over 50 links throughout the entire night trying to get password_verify() to work.
1- The Hash Is 100% Correct.
2- The Plain Text Verison Is 100% Correct.
3- The Hash Length Is In Fact 60.
4- Tried Password_Default And Password_Bcrypt
5- It Does Successfully Pull The Password Out Of The Database.
BUT
if(password_verify($answer,$secAnswer)){ } IS ALWAYS false.
Here is my Code.
function anti_injection_login($sql, $formUse = true){
$sql = preg_replace("/(from|select|insert|delete|where|drop table|show tables|,|'|#|\*|--|\\\\)/i","",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
if(!$formUse || !get_magic_quotes_gpc())
$sql = addslashes($sql);
return $sql;
}
$email = anti_injection_login($_POST['email']);
$answer = anti_injection_login($_POST['answer']);
$queryAccount = mysqli_query($conn, "SELECT * FROM Accounts where email= '$email'");
$count = mysqli_num_rows($queryAccount);
if($count == 1){
$rows = mysqli_fetch_array($queryAccount);
$secAnswer = $rows['secretkey'];
if(password_verify($answer,$secAnswer)){
echo "Successful";
}else{
echo "Try Again";
}
}
the anti_injection_login is just to stop people from injecting it. This is NOT the problem.
As no matter where I put an Echo with the $secAnswer and $answer it is always correct exactly as I would expect it to be.
Is there something I am missing guys? I am seriously stumped on this now.
(Yes this is the entire script). So I'm not leaving anything out. But as mentioned, it is successfully pulling the hash, (and is correct) according to the database version it's identical.
And the word I used for the hash is Identical (Tried both Upper case and Lowercase).
The PHP Manual gives a very clear example:
<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>
First of all, your password hash needs to be created by the password_hash() function when the user registers.
At login, you then pass the password from the form into password_verify() along with the stored hash from the database.
However, your code passes the form data through anti_injection_login() which is doing who-knows-what with any given input. You shouldn't need to sanitize the password if you're passing it straight into password_verify(). I highly recommend you use prepared statements to retrieve the hash from the database, and pass $_POST['answer'] straight into password_verify().
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments