Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialJonathan Söder
7,428 PointsHow do you hash passwords with php?
How do you actually go through this process?
Let's say I have a password, "treehouse", which I want to store in my database. Storing it in a password column as "treehouse" is considered very bad practice. This I get. If someone gets into the database he gets access to all the passwords stored.
So for basic security, what you have to do is use php's
echo password_hash("treehouse", PASSWORD_DEFAULT);
//this will get me this following hash:
$2y$10$gVaZfNP5AK1ZLxYL0fBAIeX/H3z/lUCKNbCyoYqR7RZXNPCf94B1C
I then take that hash and store it in the database password column INSTEAD of "treehouse". I also store it somewhere in the php code for later comparison with user input. So the actual password "treehouse" is actually discarded, it won't be written ANYWHERE, in either database or php files. So the result would be something like this:
- User enters password.
- The user's input is stored in a variable and compared with the hashed password using php's password_verify("$userInput", $storedHash). (Usually in an if-statement).
- If it's a match, it's the correct password.
PASSWORD_DEFAULT uses bcrypt but leaves room for when PHP updates or adds algorithms, so basically that's enough for basic protection? Have I finally understood this correctly?
Please halp this dumbfounded newbie! :=)
1 Answer
Ted Sumner
Courses Plus Student 17,967 PointsFirst, Treehouse does not have a course on this and I REALLY wish they did. I need to learn how to do this right as well. I think you have the basic idea with one exception. You do not store the hashed treehouse in your PHP code. You only store it in your database.
To do user names properly, you also have to use sessions so that inactivity will log them out. I found this site, but I don't know if it really covers everything that needs to be done.
Jonathan Söder
7,428 PointsJonathan Söder
7,428 PointsOk cool. I appreciate it. Thanks for the answer.