Password_verify() problem in PHP

Question

Password_verify() problem in PHP

Asked 4 years, 5 months ago

Viewed 105 times

0

My intention is to call a page redirect if the password is not correct using header(), however, I realized that it was not working. I’ve been reducing the tests and I’ve come this far:

// Senha Certa
$senha = 'Teste123';
// Senha Errada
$senha = 'Teste1234';

// hash que combina com a senha 'Teste123'
$hash = '$2y$10$QW0qR0mI1oOB733baaleSe.aXwwAhJlpV6G5vOprKqP14HdcbECO.';

// Verificação da senha
if(!password_verify($senha, $hash)){
    header("Location: acesso-negado.php");
    //die("Usuário ou Senha Invádios");
}

header("Location: index.php");

Putting the wrong password, I realized that it ignores the header("Location: access-denied.php") and continues normally until it reaches the header("Location: index.php") and finally gets redirected.

I also noticed that if you put a die() under the header("Location: access-denied.php") it starts working correctly.

Does anyone know why redirecting only occurs with the use of die() below it? I am using php 7.2.7

There must be some confusion, or the variable returns true and executes the condition or not .

– MagicHat

2020/06/14 at 01:12
Exactly, I’m finding it all very strange. Let’s see if someone takes the test and tell if they’re also having the same problem.

– MichellHenrique

2020/06/14 at 01:16

2 answers

4

Maybe it’s not very clear to you, but the function header does nothing but spit a string on the output, before the HTTP request body. Who handles the Location header and should do the redirect is the client.

So, if you want your entire response to be header Location, you need to close it yourself after you send that header, using exit, or the die as suggested in the other reply. Otherwise, your code keeps running normally, and ends up issuing a second header.

My God, in some obscure part of my learning in php I started using header() imagining that it made a "mandatory redirect" of the page. This a long, long time ago and now I see that everything is wrong, header() is nothing more than handling the header of the HTTP request. What an absurd journey... Thank you!

– MichellHenrique

2020/06/14 at 03:36
1

It’s actually a very common confusion :) And to be complete, it’s not 100% true that the function only emits the header, as I said above; in the case of the Location header, it also causes the return status code to be set to 302.

– bfavaretto

2020/06/14 at 03:44
I was taking a look at the documentation here and I was scared of how much to do with header(). Assign cookie data, specify cache types, pass document data, download and etc. And here I use to redirect pages wrongly :

– MichellHenrique

2020/06/14 at 03:51

Browser other questions tagged php php-7

You are not signed in. Login or sign up in order to post.

by Lucius • **424** points · Answer 1 · 2020-06-14T02:30:44+00:00

Your code is correct. The only thing is that to succeed, you need to finish it after the header("Location: acesso-negado.php");, otherwise it will continue until the next header normally and the other "Location":

// Senha Certa
$senha = 'Teste123';
// Senha Errada
$senha = 'Teste1234';

// hash que combina com a senha 'Teste123'
$hash = '$2y$10$QW0qR0mI1oOB733baaleSe.aXwwAhJlpV6G5vOprKqP14HdcbECO.';

// Verificação da senha
if(!password_verify($senha, $hash)){
    header("Location: acesso-negado.php");
    die; // <-- Finalizando aqui
}

header("Location: index.php");