Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Shivamyadav's avatar

PHP password_verify?

How can I check the password is matched with my database record or not?

my code is here

 //password validation
        
        $sql = "SELECT * FROM `users` where password = '$password' ";
        $query = mysqli_query($conn, $sql);
        $passwordRow = mysqli_num_rows($query);
        $passwordVerify = password_verify($password, $passwordRow['password']);
        var_dump($passwordVerify);
        if($passwordVerify == false){
            $errors['password'] = "Password is inncorect.";
        }
0 likes
8 replies
thinkverse's avatar

To check if a password is correct with PHPs password_verify function you first need to store a previously hashed version of the password, using the password_hash function and then check the plaintext password again that hash.

// Hash the password on user creation and store it in the database.
$hashed = password_hash("my-secret-password", PASSWORD_DEFAULT);

Never store plaintext passwords, look up your users by username or email and fetch the hashed password, and then verify what the passwords match. Also never provide user input directly in a SQL query, either escape it or use prepared statements.

// Fetched hash password and check again provided plaintext version.
$passwordVerify = password_verify($password, $hashedPassword);

If you are using Laravel though, you should use the provided hashing functionality instead.

use Illuminate\Support\Facades\Hash;

// Hash the password on user creation and store it in the database.
$hashed = Hash::make("my-secret-password");

// Fetched hash password and check again provided plaintext version.
$passwordVerify = Hash::check($password, $hashedPassword);
Shivamyadav's avatar

@thinkverse yeah!, I have stored the password using password_hash().

  if($_SERVER['REQUEST_METHOD'] == 'POST')
    {
        $errors = [];
       
        
        $confrimPass = $_POST['passwordC'];
        // $pass = $_POST['password'];
        $name = mysqli_real_escape_string($conn, $_POST['name']);
        $email = mysqli_real_escape_string($conn, $_POST['email']);
        $password = mysqli_real_escape_string($conn, $_POST['password']);
        $hasedPassword = password_hash($password, PASSWORD_DEFAULT);
        // $confPassword = mysqli_real_escape_string($conn, $_POST['confirm_password']);
        
        require '../validation/storeValidation.php';
        if(empty($errors))
        {
                $sql = "INSERT into `users`(name,email,password)
                values('$name', '$email', '$hasedPassword')";
                $queryRun = mysqli_query($conn, $sql);
                
        } 
        
    }

but unable to understand how to verify password from the database hashed password and the login time $_POST['password'] coming from the user through login form , can i get some code of it....

thinkverse's avatar

@Shivamyadav don't fetch the user by the password since it won't match the stored version, each time you hash it will be different. Look up the user with prepared statements by email and return the hashed password.

$stmt = mysqli_prepare($conn, "SELECT password FROM `users` where email = ?");
// Bind the user-provided email stored in a variable.
mysqli_stmt_bind_param($stmt, "s", $email);

mysqli_stmt_execute($stmt);

mysqli_stmt_bind_result($stmt, $hashedPassword);

// Execute the statements and fetch the hashed password.
mysqli_stmt_fetch($stmt);

Then verify the plaintext password given by the user against the hashed password return for that email address.

$passwordVerify = password_verify($password, $hashedPassword);
var_dump($passwordVerify);
if($passwordVerify == false){
    $errors['password'] = "Password is incorrect.";
}
OussamaMater's avatar

@thinkverse I would recommend a small refactor

if(!$passwordVerify){
    $errors['password'] = "Password is incorrect.";
}

or if you do want to make it explicit, using === would be better, to avoid type juggling vulnerability :)

OussamaMater's avatar

Are you using Laravel? because if so, you don't need to do it this way, and the code has few mistakes

  1. You are not using prepared statements, therefore you are in risk of a SQLi attack, if the password is ' or 1=1 -- - that query will be always true and will return all the users, and you can do much more than that like dumping the whole database.
  2. mysqli_query() return the result of that SELECT statement and not a query.
  3. mysqli_num_rows() return the affected rows, so $passwordVerify variable contains an integer, password_verify() expects two strings, the 2nd one must be created by crypt(), which is never the case, so it won't work properly.

If you are using Laravel, it provides all this out of the box.

Sinnbeck's avatar

Your problem is that you are trying to find the user by the password. That won't work. Find the user by the username

$sql = "SELECT * FROM `users` where username = '$username' ";

Also never put this in production as it's ripe for sql injection

1 like

Please or to participate in this conversation.