LATEST >>

Welcome Here And Thanks For Visiting. Like Us On Facebook...

EXEIdeas – Let's Your Mind Rock » HTML-CSS-PHP-JavaScript / PHP Codes » How To Encrypt Secure Passwords In New PHP And Store In Database?

How To Encrypt Secure Passwords In New PHP And Store In Database?

How-To-Encrypt-Secure-Passwords-In-New-PHP-And-Store-In-Database
Hi! Here let’s see how to secure passwords in PHP. Developers have a huge responsibility when handling sensitive user data, such as passwords. They must take necessary precautions to store passwords and other sensitive information in a secure manner. Old-school methods use the md5 algorithm to hash passwords and store them in the database. This really is not safe and vulnerable to attack.

But thanks to the community, PHP 5.5 and higher come with the password_hash function that generates a one-way hash that is extremely secure to store passwords in the database. Below, we will see how to securely hash passwords, store them in the database and verify them against the user-given password in PHP.

PHP – Secure Way To Store Passwords:

If you are a budding developer, these are some things to keep in mind when handling the password.

  • Never store passwords as plain text. It’s as good as not having a password at all.
  • Never use MD5 or SHA1 for hashing. They are extremely fast and vulnerable to brute-force attacks. A powerful GPU could easily break the md5 hash.
  • Never try to make your own password hashing. Someone could easily outrun your smartness putting the system vulnerable.
  • Don’t even associate passwords with encryption, as there is this chance to decrypt which is a big NO. Instead, you must use salted one-way hashing for the password.
Recommended For You:
How To Get Address From Latitude And Longitude Using PHP And Google Maps API?

So, what to use to protect passwords?

Use password_hash:

With PHP v5.5+, you are lucky to have the built-in password_hash() function, which uses BCRYPT algorithm to hash the password.

The good thing about BCRYPT is that it is very slow compared to md5 and SHA1. This makes it computationally expensive to brute force. Plus, you can also change the algorithmic cost factor to make it tougher to break.

How To Hash Password?

To hash the password, pass the password string and the algorithm you want to use for the password_hash.

<?php
$email = mysqli_real_escape_string($_POST['email']);
$password = mysqli_real_escape_string($_POST['password']);
$hash = password_hash($password, PASSWORD_BCRYPT);
$sql = "insert into users (email, password_hash) values ($email, $hash)";
mysqli_query($con, $sql);
?>

The password_hash function will automatically generate a random salt that is cryptographically secure. Therefore, it is strongly recommended that you do not provide your own salt (though you can) for the function.

What Should Be The Length Of The Password Field?

Be sure to use at least varchar(60) column to store the password hash, since BCRYPT returns 60 characters length string. But you can keep it to up to 255 characters long if you are considerate about future upgrades to accommodate a much stronger algorithm.

How To Verify User Password?

To verify the password, you must use the function password_verify() which will check the password given by the user against the hash created by password_hash. It returns true if the password and the hash match and false otherwise.

Recommended For You:
Multiple Pages As Show/Hide DIV On A Single Web Page Using Pure JavaScript

Here’s the rough usage of the function,

<?php
$email = mysqli_real_escape_string($_POST['email']);
$password = mysqli_real_escape_string($_POST['password']);
$sql = "select * from users where email=$email";
$result = mysqli_query($con, $sql);
if(mysqli_num_rows($result) > 0) {
    $user = mysqli_fetch_assoc($result);
    if(password_verify($password, $user['password']))
        echo 'Valid password!';
    else
        echo 'Invalid password!';
}
?>

If you are using PHP 5.3.7+, use this https://github.com/ircmaxell/password_compat library that helps you to use password_* functions on older PHP servers.

Guess now you have a clear idea of storing passwords securely in the database with PHP. No matter how awesome your application is, it would be nothing without the proper security measures. I hope you find this post useful. Please, share it on your social circle if you like it.

You Like It, Please Share This Recipe With Your Friends Using...

Be the first to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *