Prabin Posted May 9, 2020 Share Posted May 9, 2020 { $getp=$_POST["password"]; $newhas=password_hash($getp,PASSWORD_BCRYPT); I am trying to use this code for password hashing for every time that password is hashed it returns a different value. How do I save the hashed value in database ? Quote Link to comment Share on other sites More sharing options...
gw1500se Posted May 9, 2020 Share Posted May 9, 2020 This is probably a good place as any to start. Quote Link to comment Share on other sites More sharing options...
StevenOliver Posted May 10, 2020 Share Posted May 10, 2020 (edited) With PHP security, it's important to really learn what you are doing -- no guesswork! If you google "password_hash" you'll see a lot of explanations and examples. In the "olden days" passwords were encrypted, and stored in a database (which could later be hacked). Many encryption functions can result in strings that can be easily decrypted. In fact, there are a lot of websites that will attempt to decrypt your "super-duper encrypted string" for you, and usually do it in about 5 seconds. Nowadays, password "hashing" is popular. The password_hash function uses a random string each time to generate a "hash," which, when tested against the original password (using "password_verify"), will result in either a 'true' or a 'false.' You've noticed when you use "password_hash" you will get a different result each time. That is because this function uses a random string. In the case of your example, "PASSWORD_BCRYPT"). However, regardless how many password_hash results are generated against a specific password, they will all verify as "true." Nowadays, most websites choose to store actual password hashes in databases, rather than actual passwords. Instead of "PASSWORD_BCRYPT" it is popular to use "PASSWORD_DEFAULT" because as new algorithms are invented with PHP upgrades, "PASSWORD_DEFAULT" supposedly uses the latest and greatest. So, if it were me, even though "PASSWORD_BCRYPT" is considered pretty darn good, I would use "PASSWORD_DEFAULT" instead. Again, "security related PHP issues" is not the place to just throw in any line of code you found off the net as one might do when searching for "cool CSS button effects," etc. At the very minimum, do some googling and understand what you are doing. Google "password_hash" "password_verify" and learn all the caveats. Edited May 10, 2020 by StevenOliver 1 Quote Link to comment Share on other sites More sharing options...
chhorn Posted May 12, 2020 Share Posted May 12, 2020 Tipp: keep your ears open to the term "rainbow tables" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.