PHP :: Bug #80297 :: password_verify won't work with double quotes

Bug #80297	password_verify won't work with double quotes
Submitted:	2020-10-29 18:50 UTC	Modified:	2020-10-29 19:54 UTC
From:	brennen at swedecreek dot com	Assigned:
Status:	Not a bug	Package:	*Encryption and hash functions
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-10-29 18:50 UTC] brennen at swedecreek dot com

Description:
------------
When using double quotes around $hash in password_verify, it always returns false. You have to use double quotes.

Test script:
---------------
if(password_verify("helloworld", "$2y$10$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {
  echo "Success";
}
else {
  echo "Fail";
}

Expected result:
----------------
Success

Actual result:
--------------
Fail

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-10-29 18:54 UTC] rtrtrtrtrt at dfdfdfdf dot dfd

because you lack basics and proper error-reporting
in double quotes you need to secape $ as \$

----------------

Interactive shell

php > if(password_verify("helloworld", "$2y$10$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {echo "Success";} else {echo "Fail";}

Notice: Undefined variable: nqqnTXGG in php shell code on line 1
Fail

[2020-10-29 18:55 UTC] rtrtrtrtrt at dfdfdfdf dot dfd

php > if(password_verify("helloworld", "\$2y\$10\$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {echo "Success";} else {echo "Fail";}
Success
php >

[2020-10-29 19:54 UTC] peehaa@php.net

-Status: Open +Status: Not a bug

[2020-10-29 19:54 UTC] peehaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

[2020-10-30 07:31 UTC] heiglandreas@php.net

Just for clarification: The only thing that needs to be escaped is the 3rd "$" as the first two are not starting a variable as the $ is immediately followed by a number which is not allowed as the first character of a variable name.

So if you have to use double quotes you need to at least write it like this:

if(password_verify("helloworld", "$2y$10\$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {
  echo "Success";
}
else {
  echo "Fail";
}


But for the sake of explicitness (and my own sanity) I would always use single quotes unless I explicitly want variable replacement to actually happen within the string.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 06 02:00:01 2025 UTC