Home >Database >Mysql Tutorial >How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?

How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?

Barbara Streisand
Barbara StreisandOriginal
2024-12-12 11:25:14525browse

How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?

Using PHP 5.5's password_hash() and password_verify() Functions Correctly

While storing passwords securely is crucial, your proposed method using PHP 5.5's password_hash() function is incorrect.

password_hash() returns a hashed string that includes both the hash and the salt. Storing the salt and hash separately is not recommended. Instead, store the returned hash directly into the database.

To verify the password, fetch both the hash and salt from the database and use password_verify() as follows:

$hashAndSalt = password_hash($password, PASSWORD_BCRYPT);
// Store $hashAndSalt in the database

// Verification
if (password_verify($password, $hashAndSalt)) {
    // Verified
}

Additionally, consider the deprecated nature of ext/mysql and the potential security vulnerabilities in your database statements. It's advisable to use mysqli or PDO and protect against SQL injection attacks following the PHP documentation's guidance.

The above is the detailed content of How Can I Correctly Use PHP 5.5's `password_hash()` and `password_verify()` for Secure Password Storage?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn