Password is not verified using function password_verify

Question

I think i have hashed password using function PASSWORD directly from mysql database(am i doing wrong here?). And i am trying to verify that password with this c

Answer 1

You must use password_hash to encode passwords verified with password_verify.

The MySQL function PASSWORD is something entirely different. It is used for encoding passwords specific to MySQL authentication. (MySQL specifically recommends against using PASSWORD for anything other than MySQL authentication.)

The two use different hashing algorithms, present their output in different formats, and are generally not compatible with each other.

---

The typical way to use password_hash and password_verify is:

$hash = password_hash($password, PASSWORD_DEFAULT);
//Store $hash in your database as the user's password

//To verify:
//Retrieve $hash from the database, given a username
$valid = password_validate($password, $hash);

The problem in your code is that you're doing this:

$password=password_verify($password,$hash);
$sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";

password_verify returns a boolean (whether the password and hash matched). Instead, you need to retrieve the hash from the database and match the entered password with that hash.