0

PHP hashing passwords (and verifying them)

Hello. I recently coded a login system including a mail verification system. For that, I'm generating a unique and random 256 characters long verification code that is being added as a $_GET superglobal to the verify.php. That link is sent to the user's email. The verification codes look something like that: 6sA9BJBLwgKanwiWKOCaYxNFcPc3aE6vHPJ7rKA7JksfXCOXcO2XDYfkkIBOOY7pf9BdCuyHMomYvQwG1wZXKH3fpmsff4nYbz8v7Jh2ZxeRVH2BlJMLGQlZVmHP2u1fQqdJXAOZt0yXnwjGvFcNF1kcBzzlBKNuNHuDaH5cXQLzk6IvkaQAwmMXMpiFXL0kueptelmS5iYmckYJPZRsF4mBKzkkYG2CmVReOHghi98nHt44N0A6VAWpgVL4emY6 The hashes of the verification codes are stored in the database, so in case anybody gets access to the database, they wouldn't be able to confirm anybody's email. When the user clicks the link to the verify.php that has been sent by email, my PHP script checks via the password_verify() method if the $_GET variable from the email link belongs to the hash stored in the database or not. If I place any characters at the very beginning of the password, my script says that the verification code is invalid. But when I put random characters anywhere but not at the beginning of the $_GET variable and I hit enter to run the verify.php script, it successfully registers the email as verified unless it is another password than specified in the email. When I change the length of the generated password to something like 32 chars, adding any character at the end of the password or in the middle of it won't result in my script verifying this password as correct. Why is that so? Does my code have security vulnerablities?

22nd Jul 2019, 7:18 PM
Niklas
5 Antworten
+ 1
Niklas I replied on your code! It may have something to do with casting.
22nd Jul 2019, 9:14 PM
Checker 8763
Checker 8763 - avatar
+ 1
Niklas Klar, Ich heiße genau so auf Discord!
22nd Jul 2019, 9:19 PM
Checker 8763
Checker 8763 - avatar
0
Please have a look at the following code and try changing the value of the length from 71 to any higher value and notice that the password will be verified. https://code.sololearn.com/wMht8paA1K3d/#php
22nd Jul 2019, 7:39 PM
Niklas
0
Checker 8763 any ideas?
22nd Jul 2019, 9:05 PM
Niklas
0
Checker 8763 Ich sehe gerade, dass du auch aus Deutschland kommst, lass uns doch auf Deutsch schreiben. Hast du Discord oder etwas Ähnliches, damit ich dir privat schreiben kann, falls das in Ordnung geht? :)
22nd Jul 2019, 9:16 PM
Niklas