I didn't take asking this question lightly as I've seriously gone over 50 links throughout the entire night trying to get password_verify() to work.
1- The Hash Is 100% Correct.
2- The Plain Text Verison Is 100% Correct.
3- The Hash Length Is In Fact 60.
4- Tried Password_Default And Password_Bcrypt
5- It Does Successfully Pull The Password Out Of The Database.
BUT
if(password_verify($answer,$secAnswer)){ } IS ALWAYS false.
Here is my Code.
function anti_injection_login($sql, $formUse = true){
$sql = preg_replace("/(from|select|insert|delete|where|drop table|show tables|,|'|#|\*|--|\\\\)/i","",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
if(!$formUse || !get_magic_quotes_gpc())
$sql = addslashes($sql);
return $sql;
}
$email = anti_injection_login($_POST['email']);
$answer = anti_injection_login($_POST['answer']);
$queryAccount = mysqli_query($conn, "SELECT * FROM Accounts where email= '$email'");
$count = mysqli_num_rows($queryAccount);
if($count == 1){
$rows = mysqli_fetch_array($queryAccount);
$secAnswer = $rows['secretkey'];
if(password_verify($answer,$secAnswer)){
echo "Successful";
}else{
echo "Try Again";
}
}
the anti_injection_login is just to stop people from injecting it.
This is NOT the problem.
As no matter where I put an Echo with the
$secAnswer and $answer it is always correct exactly as I would expect it to be.
Is there something I am missing guys? I am seriously stumped on this now.
(Yes this is the entire script). So I'm not leaving anything out. But as mentioned, it is successfully pulling the hash, (and is correct) according to the database version it's identical.
And the word I used for the hash is Identical (Tried both Upper case and Lowercase).