What is password_verify() in PHP? | Complete Guide with Examples

When working with user authentication in PHP, it's important to securely verify passwords without exposing user credentials. This is where the password_verify() function comes into play.

Introduced in PHP 5.5, password_verify() is a built-in PHP function used to verify that a given plaintext password matches a hashed password stored in the database.

🔹 Function Syntax:

bool password_verify(string $password, string $hash)

• $password: The user-entered plaintext password.
• $hash: The hashed password retrieved from your database.

It returns true if the password matches the hash, otherwise returns false.

Why Use password_verify()?

✅ It protects user passwords by never saving plain text passwords.
✅ It works with secure hashing algorithms like bcrypt (password_hash() generates hashes).
✅ It automatically handles the complexity of verifying hashed passwords safely.

Important: Never compare password hashes manually using == or ===. Always use password_verify() to avoid security issues like timing attacks.

How to Use password_verify() in PHP (Simple Example)

Let's walk through a full example of how to hash a password when creating an account and verify it during login.

Step 1: Hash the password (during registration)

<?php
// User registration
$user_password = 'MySecurePassword123!';

// Hash the password using password_hash()
$hashed_password = password_hash($user_password, PASSWORD_DEFAULT);

// Save $hashed_password into your database
echo "Stored Hash: " . $hashed_password;
?>

• PASSWORD_DEFAULT uses bcrypt algorithm by default, which is secure.

Step 2: Verify the password (during login)

<?php
// User login
$entered_password = 'MySecurePassword123!'; // Input from user
$stored_hash = '$2y$10$WfydLz5hNRQkgC2dq7vKWeDq6S81...'; // Retrieved from database

// Verify password
if (password_verify($entered_password, $stored_hash)) {
    echo "Password is correct!";
} else {
    echo "Invalid password.";
}
?>

Explanation:

• password_verify() automatically checks if the entered password, when hashed, matches the saved hash.
• No need to manually hash the entered password again.

Common Use Case: Full Login Form Example

<?php
// Example: Simple login validation using password_verify()

// Assume you fetched these details from your database
$db_username = 'john_doe';
$db_password_hash = '$2y$10$YJlmfXyoXyWx1g7zMEy4luG2i8YOzU2WnIh96w8Pz9FwjkqJUk72W';

// User input (e.g., from HTML form)
$user_input_username = $_POST['username'];
$user_input_password = $_POST['password'];

if ($user_input_username === $db_username && password_verify($user_input_password, $db_password_hash)) {
    echo "Login successful. Welcome, $db_username!";
} else {
    echo "Invalid username or password.";
}
?>

Important Tips for Using password_verify()

• Always use password_hash() to create hashes (never use outdated functions like md5() or sha1()).
• Never store or transmit plaintext passwords.
• Password hashing and verification should be done server-side only.
• Use HTTPS to protect password transmission between browser and server.