登录查看更多内容

How can you securely store and retrieve passwords in PHP applications?

由人工智能和领英社区提供技术支持

Storing and retrieving passwords is a common task for any web developer, but it also involves some serious security risks. If you use plain text or weak encryption methods, you expose your users' data to hackers, identity thieves, and malicious attacks. In this article, you will learn how to securely store and retrieve passwords in PHP applications using modern hashing and verification techniques.

此文章中的业界达人

由社区从 16 条内容中精选。了解更多

Ikram Khizer

Top 3% Full Stack Developer | Laravel | Node | API | React | Vue | Helping Full-Stack Devs Level Up Their Skills
Samar Hayat

Frontend Developer | Expert in ReactJS & NextJS | Delivering High-Quality User Experience | 1+ Years of working with…
Praful Zaru

CEO | Web & SaaS Development | Expert in React.js, Vue.js, PHP, Next.js, TypeScript, Node.js, Laravel, Tailwind.css…

1 Why hashing matters

Hashing is a process that transforms a password into a fixed-length string of characters, called a hash, that is hard to reverse. Hashing makes it difficult for anyone to guess or crack the original password, even if they have access to the database where the hashes are stored. Hashing also allows you to compare passwords without revealing them, by checking if the hashes match. However, not all hashing algorithms are equally secure. Some are outdated, predictable, or vulnerable to brute-force attacks. Therefore, you need to choose a hashing algorithm that is robust, random, and resistant to collisions.

添加您的观点

Ikram Khizer

Top 3% Full Stack Developer | Laravel | Node | API | React | Vue | Helping Full-Stack Devs Level Up Their Skills
举报内容
In PHP applications, use bcrypt or Argon2 for secure password hashing. Avoid storing passwords in plain text or using weak hashing algorithms to protect user credentials effectively.

已翻译

赞
Praful Zaru

CEO | Web & SaaS Development | Expert in React.js, Vue.js, PHP, Next.js, TypeScript, Node.js, Laravel, Tailwind.css, Figma, Python
举报内容
In PHP, securely store passwords using `password_hash()` and retrieve with `password_verify()`. Store hashes in a database with prepared statements to prevent SQL injection. Regularly update your hashing algorithm for enhanced security.

已翻译

赞
Renato Teixeira

Product Owner | Scrum | Desenvolvedor | React | Node | Express | Vite | Javascript
举报内容
Yesterday I started to study login systems with PHP, I'm still at the beginning in this area, and a friend who accompanied me asked if the owner of the application would be able to access all the passwords since they are stored in the database. It was really interesting to explain the concept of hash, even superficially, and it's even more interesting to find this article during my studies today :D

已翻译

赞
Umar Javed

Python
举报内容
For secure password storage in PHP applications, use strong hashing algorithms like bcrypt or Argon2, provided by the `password_hash()` and `password_verify()` functions in PHP. These functions handle hashing and hash verification, incorporating a salt automatically to protect against rainbow table attacks. When storing a password, hash it using `password_hash()` before saving it to your database. To verify a submitted password against the stored hash, use `password_verify()`. These practices ensure passwords are securely managed without compromising security.

已翻译

赞
Umar Javed

Python
举报内容
For secure password storage in PHP applications, use strong hashing algorithms like bcrypt or Argon2, provided by the `password_hash()` and `password_verify()` functions in PHP. These functions handle hashing and hash verification, incorporating a salt automatically to protect against rainbow table attacks. When storing a password, hash it using `password_hash()` before saving it to your database. To verify a submitted password against the stored hash, use `password_verify()`. These practices ensure passwords are securely managed without compromising security.

已翻译

赞

加载更多内容

2 How to hash passwords in PHP

PHP provides a built-in function called password_hash() that can hash passwords using a secure algorithm called bcrypt. Bcrypt is a widely used algorithm that adds salt and iterations to the hashing process, making it harder for attackers to break. Salt is a random string that is added to the password before hashing, to prevent dictionary and rainbow table attacks. Iterations are the number of times the hashing function is applied, to increase the computational cost and time for cracking. To hash a password in PHP, you simply pass the password and a constant called PASSWORD_BCRYPT to the password_hash() function, like this: $hash = password_hash($password, PASSWORD_BCRYPT); The function will return a hash that includes the salt and the iterations, along with some other information. You can then store the hash in your database, preferably in a column with a length of 60 characters or more.

添加您的观点

Yasith Wimukthi

MSc in Big Data Analytics (Reading)| Software Engineer at IFS | Full Stack Developer | Java Developer | Blogger | Tech Enthusiast
举报内容
PHP provides a secure way to hash passwords using the password_hash function. This function takes two arguments: the user's password and a hashing algorithm (often PASSWORD_DEFAULT for the latest secure option). password_hash generates a unique, salted hash. A salt is a random string added to the password before hashing. This makes it even harder for hackers to crack passwords using pre-computed rainbow tables. The hashed password is then stored in your database. To verify a login attempt, you use the password_verify function. It compares the entered password against the stored hash. If they match, the login is successful. This secure hashing approach protects user passwords and prevents unauthorized access to your PHP application.

已翻译

赞
Vladislav G.

Lead Web Developer | Specializing in Python, PHP, JavaScript, React, HubSpot, Firebase
举报内容
To hash a password, you can use the password_hash function. This function uses the bcrypt algorithm by default, which is currently considered secure. Here is how you can hash a password: $password = "yourPasswordHere"; $hashedPassword = password_hash($password, PASSWORD_DEFAULT); echo $hashedPassword;

已翻译

赞
Renato Teixeira

Product Owner | Scrum | Desenvolvedor | React | Node | Express | Vite | Javascript
举报内容
It looks really simply to use, I'm surprised... Will try it on some study applications that I'm working in. I'm just learning about login systems with PHP and this is really helpful and valuable to know.

已翻译

赞
Umar Javed

Python
举报内容
To hash passwords in PHP, use the `password_hash()` function with bcrypt, incorporating salt and iterations for enhanced security. Here's how: ```php $hash = password_hash($password, PASSWORD_BCRYPT); ``` This function returns a hash including the salt and iterations. Store this hash in your database in a column that supports at least 60 characters.

已翻译

赞

3 How to verify passwords in PHP

To verify a password, you need to compare the user input with the stored hash. You cannot do this by using the == operator, because it may not work reliably with binary strings. Instead, you should use the password_verify() function, which is also built-in in PHP. This function takes the user input and the stored hash as arguments, and returns true or false depending on whether they match or not. For example:

if (password_verify($password, $hash)) {
    // Password is valid
} else {
    // Password is invalid
}

The password_verify() function will automatically extract the salt and the iterations from the stored hash, and apply the same hashing algorithm to the user input. This way, you can verify passwords without knowing or exposing the original passwords.

添加您的观点

Samar Hayat

Frontend Developer | Expert in ReactJS & NextJS | Delivering High-Quality User Experience | 1+ Years of working with JavaScript
举报内容
I'd recommend adding a point about using password_needs_rehash() to ensure stored hashes leverage the latest algorithms and cost factors as security best practices evolve. This proactive approach strengthens password security over time.

已翻译

赞
Vladislav G.

Lead Web Developer | Specializing in Python, PHP, JavaScript, React, HubSpot, Firebase
举报内容
Verifying a Hashed Password When a user logs in, you need to verify the entered password against the stored hash. PHP provides the password_verify function for this purpose. Here is how you use it: $enteredPassword = "passwordUserEntered"; $storedHash = "storedHashFromDatabase"; if (password_verify($enteredPassword, $storedHash)) { echo "Password is valid!"; } else { echo "Invalid password!"; }

已翻译

赞

4 How to update passwords in PHP

Sometimes, you may need to update the passwords in your database, either because you want to change the hashing algorithm, or because the user wants to change their password. To do this, you can use the password_needs_rehash() function, which checks if a stored hash is compatible with a given algorithm and options. If it returns true, you can rehash the password with the new algorithm and options, and overwrite the old hash in the database. For example:

if (password_needs_rehash($hash, PASSWORD_BCRYPT, ['cost' => 12])) {
    // Rehash the password with a higher cost
    $newHash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
    // Update the hash in the database
}

The cost option is a parameter that determines the number of iterations for bcrypt. The higher the cost, the more secure the hash, but also the more time and resources it takes to generate and verify. You can adjust the cost according to your needs and performance, but the default value is 10.

添加您的观点

Samar Hayat

Frontend Developer | Expert in ReactJS & NextJS | Delivering High-Quality User Experience | 1+ Years of working with JavaScript
举报内容
Adding a layer of security during password updates can significantly improve overall user account protection. By integrating a password strength check before rehashing, you can ensure users select strong passwords that align with current security best practices.

已翻译

赞

5 How to handle password errors in PHP

When you use the password functions in PHP, you may encounter some errors or exceptions that you need to handle gracefully. For example, if you pass an invalid argument to the password_hash() function, it will return false. If you pass an invalid hash to the password_verify() or password_needs_rehash() functions, they will trigger a warning. To avoid these situations, you should always validate your inputs and outputs, and use the error_reporting() and set_error_handler() functions to control how errors are displayed and handled. For example:

// Set the error reporting level to exclude warnings
error_reporting(E_ALL & ~E_WARNING);
// Define a custom error handler function
function custom_error_handler($errno, $errstr, $errfile, $errline) {
    // Log the error details
    error_log("[$errno] $errstr in $errfile on line $errline");
    // Display a generic error message to the user
    echo "Sorry, something went wrong. Please try again later.";
    // Exit the script
    exit();
}
// Set the custom error handler function
set_error_handler("custom_error_handler");
// Use the password functions as usual

This way, you can prevent the user from seeing any sensitive or confusing information, and provide a better user experience.

添加您的观点

Samar Hayat

Frontend Developer | Expert in ReactJS & NextJS | Delivering High-Quality User Experience | 1+ Years of working with JavaScript
举报内容
While error logging is crucial, consider crafting user-friendly error messages that prioritize security. Instead of revealing if a username or password is incorrect, a generic message like "Invalid login credentials" can deter potential attackers from pinpointing vulnerabilities.

已翻译

赞

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Vladislav G.

Lead Web Developer | Specializing in Python, PHP, JavaScript, React, HubSpot, Firebase
举报内容
- Always use PASSWORD_DEFAULT as the second argument to password_hash so your application automatically adopts stronger algorithms as they are supported by PHP versions. - Ensure your database column for storing hashed passwords can accommodate at least 60 characters, though 255 characters is a safer choice to be future-proof. - Always sanitize and validate user inputs before hashing passwords to avoid any security pitfalls.

已翻译

赞
Yuriy Maksymenko

Laravel / Symfony back-end Developer
举报内容
The topic of storing passwords in the application code is not touched upon. Much has been written about hashing user passwords. But database credentials are usually stored in PHP code as plain text. Framework Symfony proposes a solution - "secrets management system - sometimes called a "vault". I would really like to hear about other similar systems.

已翻译

赞

Web Development

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you securely store and retrieve passwords in PHP applications?

1

2

3

4

5

6

1 Why hashing matters

2 How to hash passwords in PHP

3 How to verify passwords in PHP

4 How to update passwords in PHP

5 How to handle password errors in PHP

6 Here’s what else to consider

Web Development

给文章评分

感谢您的反馈

更多Web Development相关文章

更多相关阅读内容

How can you securely store and retrieve passwords in PHP applications?

1

2

3

4

5

6

1 Why hashing matters

2 How to hash passwords in PHP

3 How to verify passwords in PHP

4 How to update passwords in PHP

5 How to handle password errors in PHP

6 Here’s what else to consider

Web Development

给文章评分

感谢您的反馈

查看其他技能