There are many ways a user can secure their passwords when storing them in a database, however bcrypt is the defacto standard.
password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.
This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.
- salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
- cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
More about the Modular Crypt Format (MCF)
It's now time to create the user, since all our checks have passed. 0:00 We do however need to work with our password a little bit. 0:04 PHP has a nice feature that we can use for password hashing and for verification. 0:08 We'll be using password hash to actually create 0:14 the password we store in the database. 0:17 This method will create a single direction hash, 0:19 meaning this hash cannot be reversed to see the plain text password. 0:23 The password hash function, takes in some properties. 0:28 The first property is the Plain text password. 0:31 The next property defines what algorithm you want to use. 0:35 I suggest that you leave this as password default since PHP will update 0:39 to a new default for you if the better algorithm exists or is created. 0:44 Currently the algorithm that is used is B crypt, 0:50 which will produce a modular crypt format password. 0:53 The final property is an array of options. 0:56 We'll be using all the default options for this project, but 1:00 to learn more, you can find information in the notes. 1:03 Let's take a quick look at what a password in modular crypt format looks like. 1:07 [SOUND] The first part states that this is a B crypt hash in Modular Crypt Format. 1:12 Modular Crypt Format or MCF is a standard for encoding password hash strings, 1:17 other options the password may start with are 2A or 2B. 1:24 The next part of the hash is the cost. 1:29 This defines how many iteration is over the hashing you want. 1:32 This iteration count will be two to the exponent of cost value. 1:36 Typically, this cost is ten and that's fine. 1:40 But if your computer hardware can handle more you can increase this value. 1:43 Third in the string is the saw that is used for hashing. 1:48 The last part of the string is the resulting hash. 1:52 The plain text of the user password is never stored. 1:55 Once you put all that together, you will receive a 60 character string that 1:59 you can safely store in your database. 2:04 Now with our understanding of password hash, 2:06 we can hash our password for use in our database. 2:09 Inside our do register procedure. 2:13 We're going to add $hashed = password_hash, 2:15 we'lll pass password, and 2:24 then PASSWORD_DEFAULT. 2:29 Next, let's add a new function called createUser. 2:34 We'll need the email and the password. 2:48 Again start with global $db, And our try to catch block. 2:55 And we'll throw our exception. 3:16 For our query, we're going to INSERT INTO USERS. 3:22 Email, password, and role_id. 3:29 We'll be using a role ID of two for general users and a role ID of one for 3:35 administrators. 3:40 There will be more on this coming up when we talk about authorization. 3:41 For our values, 3:46 we'll use email, 3:50 password and 2. 3:54 Prepare our query. 4:06 And bind the values 4:11 Then we execute. 4:39 And we'll return findUserByEmail and 4:42 pass the email. 4:48 This function will now return the user if the user was created. 4:51 Let's use this function in our procedure. 4:55 $user = createUser($email, 5:02 $hashed);. 5:08 We'll make use of this user after we handle our login. 5:11 For now, we'll just redirect the user back to the home page, 5:15 redirect back to the home page. 5:20 Let's go back to the browser and register a user. 5:23
You need to sign up for Treehouse in order to download course files.Sign up