Home >Backend Development >PHP Tutorial >PHP 5.5 The easiest way to create and verify hashes_PHP Tutorial
PHP 5.5.0 was released yesterday and brings a comprehensive list of new features and functions. One of the new APIs is the Password Hashing API. It contains 4 functions: password_get_info(), password_hash(), password_needs_rehash(), and password_verify(). Let’s understand each function step by step.
We first discuss the password_hash() function. This will be used as the hash value to create a new password. It contains three parameters: password, hash algorithm, options. The first two items are required. You can use this function according to the following example:
1 $password = 'foo';
2 $hash = password_hash($password,PASSWORD_BCRYPT);
3 //$2y$10$uOegXJ09qznQsKvPfxr61uWjpJBxVDH2KGJQVnodzjnglhs2WTwHu
You'll notice that we didn't add any options to this hash. The available options are now limited to two: cost and salt. To add options you need to create an associative array.
1 $options = [ 'cost' => 10,
2 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM) ];
After adding the option to the password_hash() function, our hash value changes and is more secure.
1 $hash = password_hash($password,PASSWORD_BCRYPT,$options);
2 //$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22
Now that the hash is created, we can view information about the new hash value through password_get_info(). password_get_info() takes one argument - the hash value - and returns a parameter containing the algorithm (an integer representation of the hashing algorithm used), the algorithm name (the human-readable name of the hashing algorithm used), and the options we used to create the hash associative array of value options).
01 var_dump(password_get_info($hash));
02 /*
03 array(3) {
04 ["algo"]=>
05 int(1)
06 ["algoName"]=>
07 string(6) "bcrypt"
08 ["options"]=>
09 array(1) {
10 ["cost"]=>
11 int(10)
12 }
13}
14 */
The first thing to be added to the Password Hashing API is password_needs_rehash(), which accepts three parameters, hash, hash algorithm and options. The first two are required. password_needs_rehash() is used to check whether a hash value was created using a specific algorithm and options. This is useful if your database is damaged and you need to adjust the hash. By checking each hash value with password_needs_rehash(), we can see whether the existing hash value matches the new parameter, affecting only those values created with the old parameter.
Finally, we have created our hash, looked up how it was created, checked to see if it needs to be re-hashed, now we need to verify it. To verify plain text to its hash value, we must use password_verify(), which takes two parameters, password and hash value, and will return TRUE or FALSE. Let's check the hashed we got to see if it's correct.
1 $authenticate = password_verify('foo','$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22');
2 //TRUE
3 $authenticate = password_verify('bar','$2y$10$JDJ5JDEwJDhsTHV6SGVIQuprRHZnGQsUEtlk8Iem0okH6HPyCoo22');
4 //FALSE
With the above knowledge, you can quickly and securely create hashed passwords in the new PHP 5.5.0 version.