etutorialspoint
  • Home
  • PHP
  • MySQL
  • MongoDB
  • HTML
  • Javascript
  • Node.js
  • Express.js
  • Python
  • Jquery
  • R
  • Kotlin
  • DS
  • Blogs
  • Theory of Computation

PHP secure password with password_hash() and verify with password_verify()

In this article, you will learn how to generate a hashed password using PHP password_hash() and store it in the database, and how to and retrieve the password from the database and verify the user password in a secure way using the PHP password_verify() method. Password storage is a very crucial part. If a hacker was able to break into the database and steal the password table, the attacker could then access every client account.





In older articles, we used MD5 and SH1 hashing to store passwords. These methods are old and not very secure as they can be easily cracked. In the latest versions of PHP, there is no need to encrypt or decrypt a password or use your own hashing algorithm. So in this article, we have used the password hashing techniques that were introduced in PHP >= 5.5.





PHP password_hash()

The password_hash() method of PHP creates a new password hash using a one-way strong hashing algorithm. It randomly generates salt while hashing passwords. So, there is no need to create and store salt in a separate column. It is the easiest and most secure approach.

Syntax

password_hash($password, $algorithm, $options)

Parameters

$password- The password entered by the user.
$algorithm- This is the hashing algorithm. These are the following current hashing algorithm -

  • PASSWORD_DEFAULT- This is the default hashing algorithm introduced in PHP 5.5. It returns the password hash of more than 60 characters.
    password_hash($password, PASSWORD_DEFAULT)


  • PASSWORD_BCRYPT- It is used to create a password hash using CRYPT_BLOWFISH algorithm. It returns 60 characters password hash identified with '$2y$'.
    password_hash($password, PASSWORD_BCRYPT)

    The third parameter of password_hash() contains an optional parameter which is an associative array. The supported options of PASSWORD_BCRYPT are salt and cost.

    Salt - We can provide manual salts.
    Cost- Maximum algorithmic cost to be applied, the default value is 10. 

    $options = array(
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
    'cost' => 12,
  );
$password_hash = password_hash($password, PASSWORD_BCRYPT, $options);


  • PASSWORD_ARGON2I- It was introduced in PHP 7.2 and provides security against side channel attacks. We can use this algorithm only if PHP has been compiled with Argon2. Argon2 is a winner of the Password Hashing Competition in July 2015.
    password_hash($password, PASSWORD_ARGON2I)





    The third parameter of password_hash() contains an optional parameter which is an associative array. The supported options of PASSWORD_ARGON2I are memory_cost, time_cost, and threads.

    Memory Cost - Maximum memory cost to be applied to generate the hash.
    Time Cost - Maximum time to be taken to calculate the hash.
    Threads - Number of threads to be used.

    $options = [
    'memory_cost' => 2048
    'time_cost'   => 4,
    'threads'     => 3,
];
$password_hash = password_hash($password, PASSWORD_ARGON2I, $options);


  • PASSWORD_ARGON2ID - It is introduced in PHP 7.3. We can use this algorithm only if PHP has been compiled with Argon2.
    password_hash($password, PASSWORD_ARGON2ID)

    The supported options of PASSWORD_ARGON2ID are memory_cost, time_cost and threads.
    $options = [
    'memory_cost' => 2048
    'time_cost'   => 4,
    'threads'     => 3,
];
password_hash($password, PASSWORD_ARGON2ID, $options)




PHP store password in the database

When the user registers or signs up in your application, you can hash the entered password with one of the above password_hash() functions and store the hashed password in the database.

Here, we have used the PASSWORD_BCRYPT hashing algorithm to hash the password and then use the mysqli database connection code to connect to the database and insert the query into the 'users' table. Please make sure to replace the database credentials with yours.

$username = $_POST['username'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_BCRYPT);
$conn = new mysqli('hostname', 'username', 'password', 'databasename');
//Check for connection error
if($conn->connect_error){
  die("Error in DB connection: ".$conn->connect_errno." : ".$conn->connect_error);    
}
$insert = "INSERT INTO `users` (`uid`, `username`, `password`) VALUES
          (NULL, $username, $hash)";
if($conn->query($insert)){
 echo 'Data inserted successfully';
}
else{
 echo 'Error '.$conn->error;  
}




PHP password_verify()

PHP provides the password_verify() function to match the given password with its hash.

Syntax

password_verify($password, $hash)

Parameters

$password - This is the user's password entered at login.
$hash - The password hash created using password_hash().



Match the user's password with hash password

When a user attempts to login in your application, we use the password_verify() function to compare the provided password to the hash password value stored in the database.

$username = $_POST['username'];
$password = $_POST['password'];
$conn = new mysqli('hostname', 'username', 'password', 'databasename');
if($conn->connect_error){
  die("Error in DB connection: ".$conn->connect_errno." : ".$conn->connect_error);    
}
$select = "SELECT password FROM `users` WHERE username = '$username'";
$result = $conn->query($select);
while($row = $result->fetch_object()){
  $hash = $row->password;
}
if(password_verify($password, $hash)) {
 print "Login succeeds";
} else {
 print "Login fails.";
}

In the above code, we have written the SELECT query to fetch the stored hash password of the provided username and matched with the user's entered password using the password_verify() function. This function returns TRUE if both are the same, otherwise it returns FALSE.





Related Articles

Recover forgot password using PHP and MySQL
PHP7 Password Hashing
PHP secure random password generator
How to display PDF file in PHP from database
How to read CSV file in PHP and store in MySQL
Create And Download Word Document in PHP
PHP SplFileObject Standard Library
Simple File Upload Script in PHP
Sending form data to an email using PHP
Recover forgot password using PHP and MySQL
Php file based authentication
Simple PHP File Cache
How to get current directory, filename and code line number in PHP
Preventing Cross Site Request Forgeries(CSRF) in PHP
Recover forgot password using PHP and MySQL
How to add google reCAPTCHA v2 in registration form using PHP
Complete HTML Form Validation in PHP



Most Popular Development Resources
Retrieve Data From Database Without Page refresh Using AJAX, PHP and Javascript
-----------------
PHP Create Word Document from HTML
-----------------
How to get data from XML file in PHP
-----------------
Hypertext Transfer Protocol Overview
-----------------
PHP code to send email using SMTP
-----------------
Characteristics of a Good Computer Program
-----------------
How to encrypt password in PHP
-----------------
Create Dynamic Pie Chart using Google API, PHP and MySQL
-----------------
PHP MySQL PDO Database Connection and CRUD Operations
-----------------
Splitting MySQL Results Into Two Columns Using PHP
-----------------
Dynamically Add/Delete HTML Table Rows Using Javascript
-----------------
How to get current directory, filename and code line number in PHP
-----------------
How to add multiple custom markers on google map
-----------------
Get current visitor\'s location using HTML5 Geolocation API and PHP
-----------------
Fibonacci Series Program in PHP
-----------------
Simple star rating system using PHP, jQuery and Ajax
-----------------
How to Sort Table Data in PHP and MySQL
-----------------
Simple pagination in PHP with MySQL
-----------------
How to generate QR Code in PHP
-----------------
Submit a form data using PHP, AJAX and Javascript
-----------------
PHP MYSQL Advanced Search Feature
-----------------
jQuery loop over JSON result after AJAX Success
-----------------
Recover forgot password using PHP7 and MySQLi
-----------------
PHP Server Side Form Validation
-----------------
jQuery File upload progress bar with file size validation
-----------------
PHP user registration and login/ logout with secure password encryption
-----------------
To check whether a year is a leap year or not in php
-----------------
Php file based authentication
-----------------
Simple File Upload Script in PHP
-----------------
Simple PHP File Cache
-----------------
PHP User Authentication by IP Address
-----------------
Calculate the distance between two locations using PHP
-----------------
PHP Secure User Registration with Login/logout
-----------------
Polling system using PHP, Ajax and MySql
-----------------
How to print specific part of a web page in javascript
-----------------
Detect Mobile Devices in PHP
-----------------
Simple Show Hide Menu Navigation
-----------------
Simple way to send SMTP mail using Node.js
-----------------
SQL Injection Prevention Techniques
-----------------
Get Visitor\'s location and TimeZone
-----------------
Preventing Cross Site Request Forgeries(CSRF) in PHP
-----------------
Google Street View API Example
-----------------
PHP Sending HTML form data to an Email
-----------------
Driving route directions from source to destination using HTML5 and Javascript
-----------------
CSS Simple Menu Navigation Bar
-----------------
Date Timestamp Formats in PHP
-----------------
Convert MySQL to JSON using PHP
-----------------
PHP Programming Error Types
-----------------
Set and Get Cookies in PHP
-----------------
How to add google map on your website and display address on click marker
-----------------
How to select/deselect all checkboxes using Javascript
-----------------
PHP Getting Document of Remote Address
-----------------
How to display PDF file in web page from Database in PHP
-----------------
File Upload Validation in PHP
-----------------
PHP FTP Connection and File Handling
-----------------


Most Popular Blogs
Most in demand programming languages
Best mvc PHP frameworks in 2019
MariaDB vs MySQL
Most in demand NoSQL databases for 2019
Best AI Startups In India
Kotlin : Android App Development Choice
Kotlin vs Java which one is better
Top Android App Development Languages in 2019
Web Robots
Data Science Recruitment of Freshers - 2019


Interview Questions Answers
Basic PHP Interview
Advanced PHP Interview
MySQL Interview
Javascript Interview
HTML Interview
CSS Interview
Programming C Interview
Programming C++ Interview
Java Interview
Computer Networking Interview
NodeJS Interview
ExpressJS Interview
R Interview


Popular Tutorials
PHP Tutorial (Basic & Advance)
MySQL Tutorial & Exercise
MongoDB Tutorial
Python Tutorial & Exercise
Kotlin Tutorial & Exercise
R Programming Tutorial
HTML Tutorial
jQuery Tutorial
NodeJS Tutorial
ExpressJS Tutorial
Theory of Computation Tutorial
Data Structure Tutorial
Javascript Tutorial




General Knowledge

listen
listen
listen
listen
listen
listen
listen
listen
listen


Learn Popular Language

listen
listen
listen
listen
listen

Blogs

  • Jan 3

    Stateful vs Stateless

    A Stateful application recalls explicit subtleties of a client like profile, inclinations, and client activities...

  • Dec 29

    Best programming language to learn in 2021

    In this article, we have mentioned the analyzed results of the best programming language for 2021...

  • Dec 20

    How is Python best for mobile app development?

    Python has a set of useful Libraries and Packages that minimize the use of code...

  • July 18

    Learn all about Emoji

    In this article, we have mentioned all about emojis. It's invention, world emoji day, emojicode programming language and much more...

  • Jan 10

    Data Science Recruitment of Freshers

    In this article, we have mentioned about the recruitment of data science. Data Science is a buzz for every technician...

Follow us

  • etutorialspoint facebook
  • etutorialspoint twitter
  • etutorialspoint linkedin
etutorialspoint youtube
About Us      Contact Us


  • eTutorialsPoint©Copyright 2016-2022. All Rights Reserved.