How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?

Using PHP 5.5's password_hash() and password_verify() Functions Correctly

While storing passwords securely is crucial, your proposed method using PHP 5.5's password_hash() function is incorrect.

password_hash() returns a hashed string that includes both the hash and the salt. Storing the salt and hash separately is not recommended. Instead, store the returned hash directly into the database.

To verify the password, fetch both the hash and salt from the database and use password_verify() as follows:

$hashAndSalt = password_hash($password, PASSWORD_BCRYPT);
// Store $hashAndSalt in the database

// Verification
if (password_verify($password, $hashAndSalt)) {
    // Verified
}

Additionally, consider the deprecated nature of ext/mysql and the potential security vulnerabilities in your database statements. It's advisable to use mysqli or PDO and protect against SQL injection attacks following the PHP documentation's guidance.

The above is the detailed content of How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?. For more information, please follow other related articles on the PHP Chinese website!