So, basically, I have a simple database where users are stored. password_hash is used to insert the passwords, but for some reason, this code:
$sql = $conn -> prepare("SELECT `password` FROM `users` WHERE `email`=:email LIMIT 1");
$sql -> bindParam(":email", $email);
$sql -> execute();
$out = $sql -> fetch();
print_r(password_verify($password, trim($out['password'])) . " - " . $password . " - " . $out[0]);
die();
displays this:
- spice - $2y$10$YOVX2MCk8KSpUuii5fEQ5.OUmRh09lEfF.wZ65jh4.PUB5wSgdHim
Even if I was using the wrong password, shouldn't it at least return false? Is this some part of a new feature in PHP 7?