search

ircmaxell / password_compat

Compatibility with the password_* functions that ship with PHP 5.5
MIT License
2.15k stars 421 forks source link

Inconsistent behavior in password_verify #82

Open bonarae opened 9 years ago

bonarae commented 9 years ago

I use the latest version of PHP 5.4 and I am currently developing a system that uses the password_compat library.

Since I develop in a localhost environment, I have noticed inconsistency in the password_verify function whenever I use it in my function each time the server is restarted (i.e. by shutting down my servers and starting them again next time) and I try to use the stored password stored in my MySQL DB.

This library has been a life-saver for me but this issue has been bothering me for quite some time.

lode commented 9 years ago

Can you post your code? Without it is hard to determine what is going on, as I (and I gues lots of others), don't experience this problem.

bonarae commented 9 years ago

In one of my PHP files (processSignup.php) that involves storing the hashed password:

$password = $_POST['password'];

$password = $mysqli->real_escape_string($password);

$securePassword = password_hash($password, PASSWORD_BCRYPT);

then the $securePassword variable is stored into a MySQL database with the following parameters in my prepared statement:

$statement = $mysqli->prepare("INSERT INTO users SET `username` = ?, `password` = ?, `email_address` = ?, `signup_ts` = ?, `isadmin` = ?");

$statement->bind_param('sssdd',$username, $securePassword, $email, time(), $defaultAdmin);

For the verification of password (loginProcess.php), which involves retrieving the hashed password and then verifying it with the password inputted for the specified user:

$password = $_POST['password'];

$password = $mysqli->real_escape_string($password);

$statement = $mysqli->prepare("SELECT userid, username, password, email_address, isadmin, isbanned FROM users WHERE `username`=?");
...
$statement->bind_result($a, $b, $c, $d, $e, $f);
  while ($statement->fetch()) {
    $user[] = ['userid' => $a, 'username' => $b, 'password' => $c, 'email_address' => $d, 'isadmin' => $e, 'isbanned' => $f];
  }

$verifiedPassword = password_verify($password, $user['password']);

However, whenever I restart my PHP server, $verifiedPassword always returns false, no matter when the password was hashed. The $user array returns fine whenever I debug it through print($user);

Also, in my MySQL table, password is a VARCHAR with 255 character length.

miquelfire commented 9 years ago 
$password = $mysqli->real_escape_string($password);

What's with that line? It might be the cause of your issues.

ircmaxell commented 9 years ago

Also, $user is a 2-dimensional array, yet you're accessing it as a single-dimensional array. It should be something like $user[0]['password'] in the last line (assuming that you're correctly checking for errors and no-returns).