php

PHP password_verify() Function

3 years ago
by Fahmida Yesmin
The password_verify() function is used to match the hash password with the original password. Another function, password_hash() is used to generate the hash value based on the hashing algorithm, cost, and salt value. The password_verify() function contains all hashing information to verify the hash with the password. The uses of this function have been shown in this tutorial by using multiple examples.

Syntax

This function has two arguments and it returns true on success and false on failure. The syntax of this function has given below.

password_verify ( string $password , string $hash ) : bool

The first argument contains the password that will be checked. The second argument contains the hash value that is used to check the password is valid or not. This hash value is generated by using the password_hash() function.

Different types of algorithms can be used to generate the hash value of any password. The second argument of the password_hash() function contains a constant value that indicates a hashing algorithm. The constants which can be used by the password_hash() function has mentioned below.

Constant Name Description
PASSWORD_DEFAULT It uses the default algorithm to generate the hash value of the password.
PASSWORD_BCRYPT It uses the CRYPT_BLOWFISH algorithm to generate the hash value of the password.
PASSWORD_ARGON2I It uses the Argon2i algorithm to generate the hash value of the password.
PASSWORD_ARGON2ID It uses the Argon2id algorithm to generate the hash value of the password.

Uses of password_verify() Function

The ways to verify the password based on the hash value generated by different hashing algorithms has shown in this part of the tutorial.

Example-1: Verify Password with the Hash Generated by PASSWORD_DEFAULT

Create a PHP file with the following script that will display a form for the user to provide the password that will be checked by the password_verify() function for validation when the submit button will be pressed.

The constant value, PASSWORD_DEFAULT has been used in the password_hash() function to generate the hash value of the particular password. Next, the password_verify() function has used to check the password value given by the user is valid or invalid.

<html>

<head>

 <title>Password Verification</title>

</head>

<body>

<br/><br/>

<center>

 <form method="post" action="#">

 <input type="password" name="pass" />

 <input type="submit" name="sub" value="Verify Password" />

 </form>

</center>

</body>

</html>

<?php

//Generate the hash value of the password

$hash = password_hash('secretpass456', PASSWORD_DEFAULT);

//Check the password value is submitted by the user or not

if(isset($_POST['pass']))

{

 //Read the password submitted by the user

 $password = $_POST['pass'];

 //Check the password is valid or invalid

 if (password_verify($password, $hash)) {

 echo '<center>Password is valid!</center>';

 } else {

 echo '<center>Password is invalid.</center>';

 }

}

?>

Output:

The following output will appear after executing the above script if the valid password is given by the user.

The following output will appear after executing the above script if the invalid password is given by the user.

Example-2: Verify Password with the Hash Generated by PASSWORD_BCRYPT

Create a PHP file with the following script that will display a form for the user to provide the password that will be checked by the password_verify() function for validation when the submit button will be pressed like the previous example.

The constant value, PASSWORD_BCRYPT, and cost value have been used in the password_hash() function to generate the hash value of the particular password. Next, the password_verify() function has used to check the password value given by the user is valid or invalid.

<html>

<head>

 <title>Password Verification</title>

</head>

<body>

<br/><br/>

<center>

 <form method="post" action="#">

 <input type="password" name="pass" />

 <input type="submit" name="sub" value="Verify Password" />

 </form>

</center>

</body>

</html>

<?php


//Set the password value

$password = "secretpass";

//Set the cost value

$options = [ "cost" =>15 ];

//Generate the hash value of the password and cost value

$hash = password_hash($password, PASSWORD_BCRYPT, $options);


//Check the password value is submitted by the user or not

if(isset($_POST['pass']))

{

 //Read the password submitted by the user

 $password = $_POST['pass'];

 //Check the password is valid or invalid

 if (password_verify($password, $hash)) {

 echo '<center>Password is valid.</center>';

 } else {

 echo '<center>Password is invalid.</center>';

 }

}

?>

Output:

The following output will appear after executing the above script if the valid password is given by the user.

The following output will appear after executing the above script if the invalid password is given by the user.

Example-3: Verify Password with the Hash Generated by PASSWORD_ARGON2I

Create a PHP file with the following script that will display a form for the user to provide the password that will be checked by the password_verify() function for validation when the submit button will be pressed like the previous example.

The constant value, PASSWORD_ARGON2I, and cost value have been used in the password_hash() function to generate the hash value of the particular password. The hash value of the password will be printed in the output. Next, the password_verify() function has used to check the password value given by the user is valid or invalid.

<?php

//Set the password value

$password = "secretpass";

//Generate the hash value of the password

$hash = password_hash($password, PASSWORD_ARGON2I, [ "cost" =>15]);

echo "<center>The hash value :<br/>$hash</center>";

?>

<html>

<head>

 <title>Password Verification</title>

</head>

<body>

<br/><br/>

<center>

 <form method="post" action="#">

 <input type="password" name="pass" />

 <input type="submit" name="sub" value="Verify Password" />

 </form>

</center>

</body>

</html>

<?php


//Check the password value is submitted by the user or not

if(isset($_POST['pass']))

{

 //Read the password submitted by the user

 $password = $_POST['pass'];

 //Check the password is valid or invalid

 if (password_verify($password, $hash)) {

 echo '<center>Password is valid.</center>';

 } else {

 echo '<center>Password is invalid.</center>';

 }

}

?>

Output:

The following output will appear after executing the above script.

The following output will appear after executing the above script if the valid password is given by the user.

Conclusion

Password verification is required to authenticate the user and it is an essential task of any website. The uses of the password_verify() function to verify passwords based on different hash values have shown in this tutorial by using HTML form.

About the author

Fahmida Yesmin

I am a trainer of web programming courses. I like to write article or tutorial on various IT topics. I have a YouTube channel where many types of tutorials based on Ubuntu, Windows, Word, Excel, WordPress, Magento, Laravel etc. are published: Tutorials4u Help.

View all posts