Search the Community

I copied the code for password_hash at php.net: <?php /** * In this case, we want to increase the default cost for BCRYPT to 12. * Note that we also switched to BCRYPT, which will always be 60 characters. */ $options = [ 'cost' => 12, ]; echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options); ?> and changed it for use in my login page: $options = ['cost' => 12,]; $user = mysqli_real_escape_string($db_link,$_GET['username']); $pass = password_hash($_GET['password'], PASSWORD_BCRYPT, $options); but my page keeps saying invalid user/pass. Upon echoing the $pass I find that the result changes EACH time. so I created a test page that runs the code from php.net (verbatim code) 20x and I got: [pre] $2y$10$Nlf0J520viR4C5jd3nIdd.6M3OMKACx503Jm3PiXDYZIs.13XAheq $2y$10$SO1ip3JI.EGjUJb3JYUDSeAUszg6A3UBX9b.ENk2aythAuxQ1apxS $2y$10$Ub7cQSbFWXhkLrzm3ldGGe8FfgsOjS99vgj9l801yqXgPjvJmVpsm $2y$10$8fNzz/tmrg8tLdHOk0r7GOh0j1frKN3ujA/qzrFHi/s22jMO/hbri $2y$10$o.5LnDxkhw/YNxJT16fuIOiQbnhHKs51SqFTqQ3KsflY6nYV.HLLm $2y$10$zQZiauRe6tuF2rGd1XGcO.E7ekhfP68Sqih8ll9Om7n5c2NO3tPSu $2y$10$uLZXDAQu14EW8P4CMMICBuvRv0wOEAxghzJV1c9UuNK7yTRJNNdjO $2y$10$P6Uy4/PDOnE9zv/VxRAWFebKY/qYXj1unIrTvV42xUxe.zXx3ut2W $2y$10$uHb8qdh3CGe0BkXdyuThHu0vgAH5bxEPYMe0VK410Q7xqcAlC.xuy $2y$10$xXwbec0Cn0JcMorGgmmRY.qHW.N1pNoYq.2V.IAQHsCDYPXtgQyJ6 $2y$10$w88m.M6BmVVoYYBhM1IAquOIb4NH9n093nQmdzhKm0Fq2ykgcZFZm $2y$10$IkVTs7.z4rZt5/rkgRQnKeXfINb7VTqXxTDRZB9caR4X0rwKtdhIW $2y$10$XyjX0X0I.l4Ct9eF4zhhz.S5Cg/Ppqf3veL9ciehjBr/2Rp8usPCm $2y$10$iJkhIWl95TVlA4hw2nltd./YmyXA2.abqTu8WFs/YuEvJsndosv6W $2y$10$kwVNtAaKxG8z2m.D0evl..Xx64NWPxbFAIBjCDLBfgiJncgniBB7S $2y$10$m8ZyiI7HhXutyTZGySit/O3lmAGsIlfRqEcYc7eCV2XS9TS1Sw9/y $2y$10$uYDilXy1HKT9M6DiPUhAe.3W5teCpkTF4x5UgVYiJctz4HXNMzU9e $2y$10$0HDD2quyh2AfMeF41PbKTu7PGTPn2fcl42HLxweaIHay9KbPDrEh6 $2y$10$qc0Kt5VtkrslpLlQmvq5a.dboTbf8qEif9KOwYwjoGGh6Q.xoN8JK [/pre] Is password_hash broken? or am I mistaken to think that it's supposed to return the same output everytime fror the same input?

I have been working on a login form, I have completed the registration side but the login form is proving to be fighting back. I have just jumped into the world of PDO and only recently PHP in a serious way. I have been trying to use the password_verify(); function but I have spent so long on it now trying to get it working I have made it more difficult than it should be and probably is. I would be grateful if someone could take a look at my code and just tell me what I am doing wrong. I have tested it with the username and password hard coded in and it returns an array however if I comment out the hard coded username and password I get an empty array. I dare say that someone will see the issue straight away but I cannot get my head round it. <?php session_start(); error_reporting(0); require '../php_inc/connection/connect.php'; require_once '../php_inc/functions.php'; $error = ''; // all error messages will use this variable $msg = 'Please fill in both fields and answer the captcha, they are all required to log in.'; if(isset($_POST['submitted'])){ $dbuname = 'dashby'; // As if check with DB - If I comment these 2 out and try to get data from DB I get empty array $hashed = '$2y$12$7hcyfm7UjboYGaNLF7vK1.qroo3YkvhKAR8EfxG1byEMkNB0oSQgi'; // As if check with DB - same password require 'Captcha.php'; $username = escape_in($_POST['username']); // Username $captcha = escape_in($_POST['captchaResult']); //Captcha $unhashed = escape_in($_POST['password']); //Password b4 hashing takes place //$submittedPassword = password_hash($unhashed, PASSWORD_DEFAULT, ['cost' => 12]); // connect to the database so the checks can be done. if($pdo){ $stmt = $pdo->prepare("select * from users where username = :username && password = :password"); $stmt->bindParam(":username", $username); $stmt->bindParam(":password", $unhashed); // If $hashed is the variable I get an array returned, as $unhashed I get an empty array echo '<pre>'; if($stmt->execute()){ $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); print_r($rows); } } echo '</pre>'; if($total == $getCaptchaResults){ //Capcha OK if(password_verify($unhashed, $hashed)){ //$msg = ''; //$error .= 'Password match'; if($username == $dbuname){ //$msg = ''; //$error .= 'Captcha, username and password ok'; // working to this point $_SESSION['username']; //header('Location: welcomelogged.php'); } else { $msg = ''; $error .= 'Denied wrong username and/or password'; } } else { $msg = ''; $error .= 'Denied wrong password and/or username'; } } else { if(($total != $getCaptchaResults)){ $msg = ''; $error .= 'Captcha Wrong'; } } }// post submitted brace ?> The if statements all work bar the password_verify when I comment out the hard coded variables out, directly under if(isset($_POST['submitted'])) {} I would be grateful if someone could steer me in the right direction. Thanks in advance.