PHP hashing - Why does it behave like that?
Hello. I recently coded a login system including a mail verification system. For that, I'm generating a unique and random 256 characters long verification code that is being added as a $_GET superglobal to the verify.php. That link is sent to the user's email. The verification codes look something like that: 6sA9BJBLwgKanwiWKOCaYxNFcPc3aE6vHPJ7rKA7JksfXCOXcO2XDYfkkIBOOY7pf9BdCuyHMomYvQwG1wZXKH3fpmsff4nYbz8v7Jh2ZxeRVH2BlJMLGQlZVmHP2u1fQqdJXAOZt0yXnwjGvFcNF1kcBzzlBKNuNHuDaH5cXQLzk6IvkaQAwmMXMpiFXL0kueptelmS5iYmckYJPZRsF4mBKzkkYG2CmVReOHghi98nHt44N0A6VAWpgVL4emY6 The hashes of the verification codes are stored in the database, so in case anybody gets access to the database, they wouldn't be able to confirm anybody's email. When the user clicks the link to the verify.php that has been sent by email, my PHP script checks via the password_verify() method if the $_GET variable from the email link belongs to the hash stored in the database or not. If I place any characters at the very beginning of the password, my script says that the verification code is invalid. But when I put random characters anywhere but not at the beginning of the $_GET variable and I hit enter to run the verify.php script, it successfully registers the email as verified unless it is another password than specified in the email. Why is that so? Does my code have security vulnerablities?