DDMSEO - Full Stack Developer based in London

Optimize your website SEO with X-RAY SEO Auditor

Published: 20th Dec 2017 | Words: 868 | Reading Time: 5 minutes

Categories / Tags:

Development
PHP

Password hashing in PHP

Password hashing is an important part of software security. If you take a lot of user information, you have things like registration within your website, you should safeguard the storing of sensitive information with encryption. If you your database was ever hacked you wouldn’t have to worry about the hackers gaining access to user account son the application side. PHP provides a simple way of converting passwords to encrypted strings which can be stored in a database. The logic behind an encrypted password is pretty simple and easy to implement. The following example demonstrates how to use encrypt a user password on signup and verify it when they try to login.

Encrypting a website login password

The first step to encrypting a password would happen when the password is first created by the user. On a signup page we may have a small form which asks a user for various information including a site user name and site password. When the form is submitted we can get the value through the request method which could be $POST for instance.

$password = $_POST['site_password'];

To encrypt a password in PHP is very easy. In version 5.5.0 you can just use password_hash. This function takes care of all the encryption for us. We just pass in arguments like we do in other PHP functions. In this case all we need to pass in is $password and just use the PASSWORD_DEFAULT configuration option.

$encryptedString = password_hash($password, PASSWORD_DEFAULT);

// outputs 29eb239c69329953768ba2e981f31ed3ed71daad78659386b245f0e94564a7ec

This encrypted string is what we store in our database as our user password. Because of the length of this random string the chances of anyone figuring out the actual password is pretty much impossible. This protects our passwords on the database end.

"INSERT INTO users (username,password) VAULES (?,?)" // basic SQL

When we want to validate login the process is also very straightforward. We have a login page with a form that asks a user for their username and password and it’s submitted via a $_POST request.

$username = $_POST['login_username']; 
$password = $_POST['login_password']; 

Verifying the password has a few steps to it. When we query the database we don’t actually check the password. We select the password from the database based on the username.

"SELECT password FROM users WHERE username = ?" // basic SQL

This is actually the logic behind a basis user name check also. We are looking to select the dataset record of a user based on the login form user name. If none is found then that user doesn’t exist and the login attempt will fail. The specific bit of information we are looking for is the encrypted password in the database record for the user if the user exists. This is what we inserted earlier when the user signed up.

$encryptedPassword = $row['password']; 

The way the encryption is compared is very clever and also very easy to implement. We take the posted form value, we produce and encrypted string from it and if it matches the encrypted string from our database we know it’s the right password. We basically ask the condition - if I encrypt this login password will it produce the same encrypted password in our database.

if(password_verify($password, $encryptedPassword)) {
   echo 'success'
}

If they don’t match, the login attempt should fail. If they do match its up to you how you proceed. The logic in your application should change to take into account the logged in status of the user.Security features in PHP are something that as soon as you hear about you start to implement them in your projects. Increased security in PHP will usually mean better protection of user data and less vulnerability to exploits. PHP has evolved to make things like encryption pretty easy to implement. You will find hashed values can be used in many places throughout your website to make very specific identifiers. If you’re new to PHP security is a major part of building something. There are numerous exploits people can make use of to give you problems.

Rate this article

Average: 0.00 out of 5 / Votes: 0

Comments

Please login or register to post comments

Login | Register