|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80297 password_verify won't work with double quotes
Submitted: 2020-10-29 18:50 UTC Modified: 2020-10-29 19:54 UTC
From: brennen at swedecreek dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2020-10-29 18:50 UTC] brennen at swedecreek dot com
When using double quotes around $hash in password_verify, it always returns false. You have to use double quotes.

Test script:
if(password_verify("helloworld", "$2y$10$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {
  echo "Success";
else {
  echo "Fail";

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-10-29 18:54 UTC] rtrtrtrtrt at dfdfdfdf dot dfd
because you lack basics and proper error-reporting
in double quotes you need to secape $ as \$


Interactive shell

php > if(password_verify("helloworld", "$2y$10$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {echo "Success";} else {echo "Fail";}

Notice: Undefined variable: nqqnTXGG in php shell code on line 1
 [2020-10-29 18:55 UTC] rtrtrtrtrt at dfdfdfdf dot dfd
php > if(password_verify("helloworld", "\$2y\$10\$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {echo "Success";} else {echo "Fail";}
php >
 [2020-10-29 19:54 UTC]
-Status: Open +Status: Not a bug
 [2020-10-29 19:54 UTC]
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.
 [2020-10-30 07:31 UTC]
Just for clarification: The only thing that needs to be escaped is the 3rd "$" as the first two are not starting a variable as the $ is immediately followed by a number which is not allowed as the first character of a variable name.

So if you have to use double quotes you need to at least write it like this:

if(password_verify("helloworld", "$2y$10\$nqqnTXGG/W4kNWDQ6Zlx8uNbduUfYmn/iS7eKOj9fbG6iVa.3dOAi")) {
  echo "Success";
else {
  echo "Fail";

But for the sake of explicitness (and my own sanity) I would always use single quotes unless I explicitly want variable replacement to actually happen within the string.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Aug 14 03:05:46 2022 UTC