PHP password_hash() usage example_PHP tutorial

1. Foreword
PHP5.5 provides many new features and API functions, one of which is the Password Hashing API (create and verify hashed passwords).
It contains 4 functions: password_get_info(), password_hash(), password_needs_rehash(), password_verify().
Before PHP5.5, we may use encryption methods such as md5 or sha1 for password encryption (no one saves plain text like CSDN does...), such as:
echo md5("123456 "); //Output: e10adc3949ba59abbe56e057f20f883e
But simple md5 encryption is easy to crack through the dictionary. You can get the original password by just finding a md5 decryption website.
2. Password Hashing API
The Password Hashing API provided by php5.5 can solve these problems very well.
Let’s look at the password_hash() function first:

Copy the code The code is as follows:

string password_hash ( string $password , integer $ algo [, array $options ])

It has three parameters: password, hash algorithm, options. The first two items are required.
Let us simply create a hashed password using password_hash():

Copy the code The code is as follows:

$pwd = " 123456";
$hash = password_hash($pwd, PASSWORD_DEFAULT);
echo $hash;

The output result of the above example is similar: $2y$10$4kAu4FNGuolmRmSSHgKEMe3DbG5pm3diikFkiAKNh.Sf1tPbB4uo2
And refresh the page Hash values ​​are also constantly changing.
After the hash value is created, we can use password_verify() to verify whether the password matches the hash value:

Copy the code The code is as follows:

boolean password_verify ( string $password , string $hash )

It receives 2 parameters: password and hash value, and returns a Boolean value. Check whether the previously generated hash value matches the password:

Copy code The code is as follows:

if (password_verify($pwd,'$2 y$10$4kAu4FNGuolmRmSSHgKEMe3DbG5pm3diikFkiAKNh.Sf1tPbB4uo2')) {

echo "Password is correct";
} else {
echo "Password is wrong";
}

Basically, you can use the above two functions to safely create and verify hash passwords. There are also two other API functions:

Copy code The code is as follows:

password_get_info() //View relevant information about the hash value
password_needs_rehash() //Check whether a hash value was created using a specific algorithm and options

Three , Comments
Although the hashed password created through password_hash() is more secure, it reduces interoperability.
If we use md5 method and use standard MD5 encryption in php, it can be easily verified by other languages, such as node.js:

Copy code The code is as follows:

var hash = crypto.createHash('md5').update("123456").digest('hex');
if(hash == "e10adc3949ba59abbe56e057f20f883e") console .log('Password is correct');

The hash value encrypted using password_hash() can basically only be verified through PHP's password_verify.
These two methods have their own advantages and disadvantages. Whether to use md5 (or sha1, etc.) + salt (interference string) or password_hash() depends on the specific situation.

http://www.bkjia.com/PHPjc/742453.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/742453.htmlTechArticle 1. Introduction PHP5.5 provides many new features and API functions, one of which is the Password Hashing API (create and verify the hashed password). It contains 4 functions: password_get_info(), password...