Why isn't PHP's "password_hash" returning a string?

Question

<?php
    $connection=new PDO("mysql:host=localhost;dbname=userdata", "secure_credentials", "battery_staple");
    $user=$_POST['username1'];
    $pass=$_POST['password1'];
    $snip=mb_substr($user, 0, 3);
    $pass=password_hash($pass, PASSWORD_BCRYPT);
    $user_query=$connection->prepare("INSERT INTO login (email, password, semod, snippet) VALUES (:email, :password, :semod, :snippet)");
    $user_query->bindParam(':email', $user);
    $user_query->bindParam(':password', $pass);
    $user_query->bindParam(':semod', "false");
    $user_query->bindParam(':snippet', $snip);
    $user_query->execute;

(Password changed)

I'm facing a small problem with the above PHP code, whenever it's executed I get this error:

Fatal error: Cannot pass parameter 2 by reference in [location] on line [##: I shortened the above code... it's the password field with issues]

Looking around, this seems to be an issue when passing an string/integer directly, without using a variable. However, password_hash() returns a string, so I am led to believe that it's not returning a string. What could be the problem of this issue?

Answer 1

Your error is on this line:

$user_query->bindParam(':semod', "false");

You need to use bindValue.

$user_query->bindValue(':semod', "false");

bindParam passes the second argument by reference, so it has to be a variable, not a literal.

Additionally, known values don't need to be bound. You could have just as easily added the literal 'false' string to your statement query, ie

"INSERT INTO login (email, password, semod, snippet) VALUES (:email, :password, 'false', :snippet)"