login - PHP Password_verify always returns false no matter what? -


i creating login , registration system in php. using php's password_hash , password_verify functions in same class.

every time try , check password returns false.

my sql password row set text.

here user class creating , logging users in.

<?php  /** *  */ class user {     private $pdo;     function __construct()     {         # code...     }      public function newuser($username, $email, $password)     {         global $pdo;         //check if username taken         $checkusername = $this->checkusername($username);         if (!$checkusername) {             $checkemail = $this->checkemail($email);             if (!$checkemail) {                 $hashpass = password_hash($password, password_default);                 if ($hashpass) {                     $upload = $pdo->prepare("insert users (username, password, email) values (:username, :password, :email)");                     $upload->execute(array(":username"=>$username, ":password"=>$hashpass, ":email"=>$email));                      if ($upload) {                         return true;                     }else{                         return false;                     }                 }             }else{                 return false;             }         }else{             return false;         }          return false;         //check if email in use         //hash password         //uplaod user     }      public function checkusername($username)     {         global $pdo;         $sql = $pdo->prepare("select username users username = :username limit 1");         $sql->execute(array(":username"=>$username));          $rows = $sql->fetchcolumn();         if ($rows) {             return true;         }else{             return false;         }          return false;     }      public function checkemail($email)     {         global $pdo;         $sql = $pdo->prepare("select email users email = :email limit 1");         $sql->execute(array(":email"=>$email));          $rows = $sql->fetchcolumn();         if ($rows) {             return true;         }else{             return false;         }          return false;     }      public function loggedin()     {         if (isset($_session['username'])) {             if ($_session['username'] !== "anonymous") {                 if ($_session['loggedin']) {                     return true;                 }else{                     return false;                 }             }else{                 return false;             }         }else{             return false;         }          return false;     }      public function login($username, $password)     {         global $pdo;         if (!empty($username) && !empty($password)) {             //check if username exists             $checkusername = $this->checkusername($username);             if ($checkusername) {                 //get db pass                 $dbpass = $pdo->prepare("select password users username = :username limit 1");                 $dbpass->execute(array(":username"=>$username));                 $pass = $dbpass->fetchcolumn();                 //verify password                 if ($pass) {                     $verify = password_verify($password, $pass);                     if ($verify) {                         return true;                     }else{                         return "5";                     }                 }else{                     return "4";                 }             }else{                 return "3";             }         }else{             return "2";         }          return "1";     }     } 

the return; 1,2,3,4,5 debugging see goes wrong, returns 5. if register , user, logout , logout.

p.s, if has security tips code, please comment them!

thanks!


Comments