I'm having troubles with verifying a password with the password_hash and password_verify functions. For some reason it always returns false.
The hash is stored in a database, when the user provides an email and a password, if a record of a user with the provided email exists, the provided pass and the hash from that user record is verified (which returns false, providing the right password).
The code below is for test purposes because it wasn't working properly in the real context (with data stored in the database)
Here's some of the code.
<?php
//create random password with 15 chars
$pass = generate_random_string(15);
$hash = password_hash($pass, PASSWORD_BCRYPT);
var_dump(password_verify($pass, $hash));
//returns bool(true)
Until this part everything is fine, it creates a pass, hash it and when verified returns true. Now the weird part.
if (isset($_GET['pass']) &&
isset($_GET['hash'])) {
var_dump(password_verify($_GET['pass'], $_GET['hash']));
//returns bool(false)
}
?>
If I take the previous generated values (pass and hash) and pass them has URL parameters and verify them, it returns false.
What am I doing wrong here?
UPDATE
dumping $_GET array shows the correct parameters and values.
password_verifyfunction as well - Derek Pollardhashsupposed to be stored and used later when the user send the password? - A.L