This practice will be retired on May 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Practice Hashing Passwords in PHP

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

One Solution

3:02 with Alena Holligan

This video covers one solution to the practice session.

Courses

Introduction to Application Security

PHP User Authentication: Securing Passwords

Resources

password_hash — Creates a new password hash using a strong one-way hashing algorithm.

password_verify — Verifies that the given hash matches the given password.

For Step 5 bonus, you could also setup the password hash to be part of the saveUser function. Either way, you need to make sure you're passing the correct information and actually hashing the password before saving it to the database.

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    How did it go? 0:00
    I hope you were able to work through the challenge yourself. 0:00
    But if not, don't worry, I'll walk you step by step through my solution now. 0:04
    For step one, 0:10
    I used a conditional to check the string password with the variable dbPassword. 0:12
    I used triple equal, which compares both the value and the type. 0:17
    In this instance, the double equal would work as well, comparing the values. 0:22
    Either way, the string should not match the stored password, 0:28
    because the stored password is a hash. 0:32
    For step 2, in the password_hash function, I specified the BCRYPT algorithm. 0:35
    But you could also use the DEFAULT as well, 0:41
    because that is currently set to BCRPYT. 0:45
    I've also printed the Hashed Password to the screen, so 0:49
    you can see how it changes every time. 0:52
    For step 3, I've simply compared the new hash to the hash from the database. 0:58
    Again, they should not match because the hash changes every time. 1:05
    For step 4, I'm now using the password_verify function. 1:10
    I pass my string password, as well as the dbPassword. 1:16
    This function should return true because the hash password, in the database, 1:20
    is actually password. 1:25
    For my bonus, step 5, I simply use my saveUser function and 1:27
    pass the new user test2 and the hashed password. 1:32
    Let's take a look in the browser. 1:38
    The first line you see is the stored password. 1:42
    Next, we're comparing the string password with the hash. 1:46
    Notice that these do not match. 1:51
    Next, I'm showing the hashed password. 1:54
    And each time I refresh, it changes. 1:57
    So this hashed password does not match the hashed password in the database. 2:00
    Finally, I'm verifying that the string password 2:06
    does actually match the hash password in the database. 2:10
    We verified the passwords match. 2:14
    Now, to test that my user2 is actually in the database, let's go back to workspaces. 2:17
    I'm going to comment out this line, 2:25
    because each time it will update user2 with a different hash. 2:28
    Because our saveUser will also update any existing users. 2:32
    Now I'm also going to go up here and change test1 to test2. 2:39
    Now when I go back to our browser, we see the new hash and 2:44
    again our password hash is changing. 2:50
    And finally, we verified that the passwords do match. 2:55

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up