I've searched high and low for this topic, and no one has the same issue I'm experiencing that I could find.
I'm creating a user in a MySQL table, with a hash from password_hash with a strength of 10.
I've been having hell getting it to validate, and have a test script made to actually validate my findings. Here is the script:
public function testAction(){
$data = new dataHandler;
$data->table = "access";
$hash1 = $data->insert(array('email'=>'test6@test.com', 'password'=>'ABC123.abc', 'password_confirm'=>'ABC123.abc', 'alias'=>'ABC123.abc'));
$res = $data->find(array('email'=>'test6@test.com'));
$hash2 = $res[0]['hash'];
$test = password_verify('ABC123.abc', $hash1);
$test2 = password_verify('ABC123.abc', $hash2);
var_dump($test);
echo "<br>";
var_dump($test2);
echo "<br><br>";
echo "Length: " . strlen($hash1) . "<br>{$hash1}<br>Length: " . strlen($hash2) . "<br>{$hash2}";
die();
}
To verify that my script wasn't somehow doing something weird when storing, I made my hash method (called from within the insert()
method dynamically) echo out the hash directly:
public function createHash($password){
$hash = password_hash($password, HASH);
echo "Length: " . strlen($hash) . "<br>$hash<br>";
return $hash;
}
Here's the insert
method. cleanData
simply unset
s anything not available in a describe
- it is not changing any values whatsoever. Warning, it's terribly ugly presently due to a lot of debugging and such:
public function insert($data){
if(!is_array($data)){
return false;
} else {
$this->openDb();
$ins = "";
$fs = "";
$data = $this->cleanData($data);
foreach($data as $key => $field){
if($key == "password"){
$auth = new authorization;
$key = "hash";
$field = $auth->createHash($field);
$data['hash'] = $field;
unset($data["password"]);
}
$ins .= ":{$key}, ";
$fs .= "`{$key}`, ";
//$data[$key] = $this->DBH->quote($field);
}
$ins = rtrim($ins, ", ");
$fs = rtrim($fs, ", ");
try {
# the shortcut!
$this->DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$this->DBH->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$STH = $this->DBH->prepare("INSERT INTO `" . $this->table . "` ($fs) value ($ins)");
$STH->execute($data);
$id = $this->DBH->lastInsertId();
$this->closeDb();
return $data['hash']; //Debugging
return $id;
} catch(PDOException $e) {
$this->errHandler($e->getMessage());
}
}
}
Now, here's the output:
Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK
bool(true)
bool(false)
Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK
Length: 60
$2y$10$wGJxGjK4Lz4FgZ3OZJjBo.9lF7LE90p3Q5inOsBROQTU5FBVdj1LK
As you can see, both password_verify
attempts fail. The first comes from the hash generation without any further manipulation, the second comes from the database.
What am I doing wrong?
The only thing I could find when searching was people testing and using double quotes, or random human error. This, however, doesn't appear to me to be either of those two.