PHP PASSWORD_HASH

You may have a PHP webpage that checks username / password credentials to allow access to an0ther page on your website. The username / password you are checking against will be stored in the login check page, but that leaves you open to SQL Injection-type attacks, so with PHP 5.5 and above there is a neat PASSWORD_HASH function you can use to “hash” the password into a string (using encryption which cannot be easily reversed) so that if the hacker is able to view the page, the password will not be discovered.

All you then need in your login routine is to hash the password passed from the login page, then match it to the stored hash. If they match, then the user must have known the correct password. If he didn’t then the hash would be completely different. Depending on the encryption, he could sit there for 100 years trying to guess you password. Use the function PASSWORD_VERIFY to compare the two pieces of information, as this is more secure than a string compare. Some sample code:-

$pass = $_POST[‘pass’];
$hash = ‘$2y$10$uEMB1bBylNHZg8Aqz456m.NCvq6kImrXYbj0ov4Kpbf22OX3dem2u’;
if (password_verify($pass, $hash))
{
$_SESSION[‘authorized’] = true;
include ‘secret.php’;
}
else
{
$_SESSION[‘authorized’] = false;
// show error
}

You can easily create the password hash by using:-

echo password_hash(“whatever”)