PHP - password_verify 总是返回 false

Question

I'm having troubles with verifying a password with the password_hash and password_verify functions. For some reason it always returns false.

The hash is stored in a database, when the user provides an email and a password, if a record of a user with the provided email exists, the provided pass and the hash from that user record is verified (which returns false, providing the right password).

The code below is for test purposes because it wasn't working properly in the real context (with data stored in the database)

Here's some of the code.

  <?php
      //create random password with 15 chars
      $pass = generate_random_string(15);
      $hash = password_hash($pass, PASSWORD_BCRYPT);
      var_dump(password_verify($pass, $hash));
      //returns bool(true)

Until this part everything is fine, it creates a pass, hash it and when verified returns true. Now the weird part.

       if (isset($_GET['pass']) &&
           isset($_GET['hash'])) {

            var_dump(password_verify($_GET['pass'], $_GET['hash']));
            //returns bool(false)
       }
   ?>

If I take the previous generated values (pass and hash) and pass them has URL parameters and verify them, it returns false.

What am I doing wrong here?

UPDATE

dumping $_GET array shows the correct parameters and values.

Answer 1

Try encoding the values before appending them to the url:

$pass = generate_random_string(15);
$hash = password_hash($pass, PASSWORD_BCRYPT);
var_dump(password_verify($pass, $hash));
$pass_encoded = urlencode($pass); // PASS THIS IN THE URL
$hash_encoded = urlencode($hash); // PASS THIS IN THE URL

And the decode it:

if (isset($_GET['pass']) && isset($_GET['hash'])) {
    var_dump(password_verify(urldecode($_GET['pass']), urldecode($_GET['hash'])));
}