How to use PHP password_hash in Registration and Login form

In this article I am going to create registration and login form using password_hash() function. Password_hash API was introduced in PHP 5.5. Right now password_hash only support BCrypt algorithm but PHP will update API in future to support more algorithms.

Syntax:

string password_hash ( string $password , integer $algo [, array $options ] )

Parameters:

string $password : user defined password.
integer $algo : Password Algorithm Constant. Currently PASSWORD_DEFAULT and PASSWORD_BCRYPT

PASSWORD_DEFAULT: Use the BCrypt algorithm to create the hash, but will be changed in future to create new and strong algorithms.

PASSWORD_BCRYPT: Use the CRYPT_BLOWFISH. This will always returns 60 characters string or false on failure.

array $options: An associative array having options. $options currently have 2 indexes. One is cost and second is salt. Cost is the iteration of algorithm which means how many times algorithm runs to make a strong hash. You must use cost value according to your server configuration. I, personally recommend using your cost value from 8 to 10. Salt Value is a user defined string use in creating a hash. If you provide your own salt then it prevents a salt from being atomically generated. In PHP 7.0.0 salt option is deprecated. It is better to use salt that is generated by default.

Note: If no option is given, random salt will be generated and default cost will be used.

In current post I am using simple registration and login form with no Javascript and PHP validation. I have created two different files one is for registration and second is for login. Database connection is stored on a different file name as config.php. Now let’s start.


Database Table:

I have created a users table with 5 fields (id, first_name, last_name, email, password) . PHP recommend to set 255 character lengths for password field because PASSWORD_BCRYPT returns 60 characters and PASSWORD_DEFAULT is constantly updating.

Database Connection: (config.php)

Registration Form: (registration.php)

Simple registration form with First Name, Surname, Email and Password fields. Form will be posted to the same page(registration.php).

Registration Form Submit: (registration.php)

After submitting registration form we get all form values and store them in variables as you can see in the above code. $options is an array with cost index having a value of 4 (4 is the minimum value of cost, you can set any integer value according to your hardware configuration). $hashPassword variable is calling password_hash function with $password as a first parameter, PASSWORD_BCRYPT algorithm as a second parameter and $options as third parameter. $sql is an insert sql statement. $result is adding record in users table and if record insert successfully “Registration Successfully” print.

Login Form: (login.php)

Login form with email and password fields.

Login Form Submit: (login.php)

After submitting login form, get the value of email and password and trim them using trim function. $sql is a sql statement to check email address in users table. Get the num rows of sql statement and store it in $numRows variable. $numRows returns 1 then fetch associative array in $row variable against $sql statement. Then match $password with $row[‘password’] using password_verify() function. If both value match print “Password verified” else print “Wrong Password”;

Also read:

 

Posted in PHP

Author: Ahsan Zameer

I am a web developer and love to search new stuff on web. Trying different approaches and ideas to make web developing more interesting and enjoyable.