How to use PHP password_hash in Registration and Login form

In this article I am going to create registration and login form using password_hash() function. Password_hash API was introduced in PHP 5.5. Right now password_hash only support BCrypt algorithm but PHP will update API in future to support more algorithms.

Syntax:

string password_hash ( string $password , integer $algo [, array $options ] )

Parameters:

string $password : user defined password.
integer $algo : Password Algorithm Constant. Currently PASSWORD_DEFAULT and PASSWORD_BCRYPT

PASSWORD_DEFAULT: Use the BCrypt algorithm to create the hash, but will be changed in future to create new and strong algorithms.

PASSWORD_BCRYPT: Use the CRYPT_BLOWFISH. This will always returns 60 characters string or false on failure.

array $options: An associative array having options. $options currently have 2 indexes. One is cost and second is salt. Cost is the iteration of algorithm which means how many times algorithm runs to make a strong hash. You must use cost value according to your server configuration. I, personally recommend using your cost value from 8 to 10. Salt Value is a user defined string use in creating a hash. If you provide your own salt then it prevents a salt from being atomically generated. In PHP 7.0.0 salt option is deprecated. It is better to use salt that is generated by default.

Note: If no option is given, random salt will be generated and default cost will be used.

In current post I am using simple registration and login form with no Javascript and PHP validation. I have created two different files one is for registration and second is for login. Database connection is stored on a different file name as config.php. Now let’s start.


Database Table:

I have created a users table with 5 fields (id, first_name, last_name, email, password) . PHP recommend to set 255 character lengths for password field because PASSWORD_BCRYPT returns 60 characters and PASSWORD_DEFAULT is constantly updating.

Database Connection: (config.php)

Registration Form: (registration.php)

Simple registration form with First Name, Surname, Email and Password fields. Form will be posted to the same page(registration.php).

Registration Form Submit: (registration.php)

After submitting registration form we get all form values and store them in variables as you can see in the above code. $options is an array with cost index having a value of 4 (4 is the minimum value of cost, you can set any integer value according to your hardware configuration). $hashPassword variable is calling password_hash function with $password as a first parameter, PASSWORD_BCRYPT algorithm as a second parameter and $options as third parameter. $sql is an insert sql statement. $result is adding record in users table and if record insert successfully “Registration Successfully” print.

Login Form: (login.php)

Login form with email and password fields.

Login Form Submit: (login.php)

After submitting login form, get the value of email and password and trim them using trim function. $sql is a sql statement to check email address in users table. Get the num rows of sql statement and store it in $numRows variable. $numRows returns 1 then fetch associative array in $row variable against $sql statement. Then match $password with $row[‘password’] using password_verify() function. If both value match print “Password verified” else print “Wrong Password”;

Also read:

 

Posted in PHP

Author: Ahsan Zameer

I am a web developer and love to search new stuff on web. Trying different approaches and ideas to make web developing more interesting and enjoyable.

20 Replies to “How to use PHP password_hash in Registration and Login form”

  1. can i know why my page become blank after click the button login submit? please help me.

    this is my code.

      1. Hi Catherine,

        Please check your connection.php file. Make sure there is no error on connection.php file. If possible paste here the code so i will also check.

        1. Also in $sql in line 13. Your query should be select * from changePassword where email = ‘”$email.”‘.

          You only need to check email address first if email address exist then $numRows = 1 and your condition will true.

          1. this is my connection.php . and i already tried to fix line 13 like that but it doesnt work. it still become blank page.

          2. Please! Attach your code with sql file. I will check and send you updated code.

          3. Catherine you are facing error, because in connection.php you used mysqli class to create connection ie. new mysqli() and in submit code you are running query with mysqli functional mysqli_query(). On line no 15, 17 and 21 you must use $conn object.

          4. use below code in your connection.php. and database, user, password accordingly

          5. now my register also turn into blank page T.T but the data still save in the database.

  2. Pingback: Just set up BCRYPT, login check going to blank page – GiveMeAns – Get the answers of your questions

Leave a Reply

Your email address will not be published. Required fields are marked *