PHP & MYSQL: using bcrypt hash and verifying password with database

Question

I'm using Mr. Andrew Moore's method (How do you use bcrypt for hashing passwords in PHP?) of hashing user's password. What I did is I have a registration page and it uses

$bcrypt = new Bcrypt(12);
$pass = $_POST['password']; //register password field
$hash= $bcrypt->hash($pass);

// then inserts $hash into database with users registered email (I've checked my mysql database and it indeed has an hashed item

Then I have a login page, consisting of email and password fields. My thought is that email addresses are unique in my database. So with that in mind, I made a script where it check's users email address first, then if there is an existing one, verify the hash password with this

$bcrypt = new Bcrypt(12);

$email = $_POST['email']; //from login email field
$pass_l = $_POST['password']; // from login password field
$hash_1= $bcrypt->hash($pass_1);

$chk_email= $dbh->prepare("SELECT password FROM table WHERE email = ?");
$chk_email -> execute(array($email));

while($row = $chk_email->fetch(PDO::FETCH_ASSOC)){
    $chk_pass = $row['password']; //inside a while loop to get the password
    $pass_isGood = $bcrypt->verify($hash_1, $chk_pass);
    var_dump($pass_isGood); // I'm getting false

}

I'm not sure what I'm doing wrong, I'm supposed to get true. And I have set my tablefield to text or even varchar(256)

Answer 1

Using Andrew Moore's class, you need to call the class verify() method to verify that the user's password matches the hash. The two parameters you pass to it are the plaintext password the user entered and the hash that you stored in the database.

It seems you passed a second hashed password to verify() instead, which is why it's not working. Pass in the plaintext password as the first argument.