Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
There are many ways a user can secure their passwords when storing them in a database, however, bcrypt is the defacto standard.
Additional Practice
Practice Hashing Passwords in PHP
Documentation
password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.
This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.
Supported Options:
- salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
- cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
More about the Modular Crypt Format (MCF)
Now that you've made it this far,
it's time to create the user,
0:00
since all of our checks have passed.
0:03
We do, however, need to work with
our password a little bit more.
0:06
PHP has a nice feature that we can use for
our password hashing and
0:10
verification, and
it's built into the core.
0:14
We'll be using password hash to actually
create the password that we'll store in
0:19
the database.
0:24
This function will create
a single direction hash.
0:25
Meaning this hash cannot be reversed
to see the plain text password.
0:29
The password hash function
takes in some properties.
0:33
The first property is
the plain text password.
0:37
The next property defines what
algorithm you want to use.
0:40
I suggest that you leave this
set as password default,
0:45
since PHP will update to a new default if
a better algorithm exists, or is created.
0:48
Currently the algorithm that is
used is the bcrypt algorithm,
0:54
which will produce a modular crypt format,
MCF password.
0:59
The final property is an array of options.
1:04
We'll be using all the default options for
this project, but to learn more,
1:07
you can find information in the notes
associated with this video.
1:11
Let's take a quick look at what
a password in MCF format looks like.
1:16
That way you'll be familiar with the
format when you see the password stored
1:21
this way.
1:25
The $2y$ states that this is a bcrypt
hash in modular crypt format.
1:25
Modular crypt format, or
MCF, is a standard for
1:33
encoding password hash strings.
1:37
Other options the password
may start with are 2a or 2b.
1:40
The next part of the hash is the cost.
1:45
This defines how many iterations
over the hashing you want.
1:48
This iteration count will be
two times the cost value.
1:53
Typically, this cost is ten and is fine.
1:57
But if your computer hardware can handle
more, you can increase this value.
2:00
Third in the string is the actual
salt that is used for hashing.
2:05
The last part of the string
is the resulting hash.
2:08
The plain text of the user's
password is never stored.
2:12
Once you put all that together, you
will receive a 60-character string that
2:16
you can safely store in your database.
2:21
Now with our understanding of password
hash, we can hash our password for
2:24
use in our database.
2:29
Inside of our doRegister procedure,
2:30
we're going to add
$hashed = password_hash,
2:35
And the password with PASSWORD_DEFAULT.
2:42
We're now ready to add
the user to the database.
2:50
Once again, the function we'll need
is in our Functions_users file.
2:54
We're going to create a user.
3:04
We pass the username and the password.
3:07
Inside this function,
we also have a role_id.
3:11
We'll be using a role_id of 2 for
general users, and
3:14
a role_id of 1 for administrators.
3:18
You can see here that new registered
users will all be set to a general user.
3:22
We'll go into more detail when
we talk about the authorization.
3:28
This function uses the find user
by username function to return
3:33
the user if the user wasn't created.
3:38
Let's use this function in our procedure.
3:40
Will set $user = createUser, and
3:46
we'll pass the username and
our $hashed password.
3:50
We'll make use of this user after
we handle login, but for now,
3:59
we need to add a flash message and
redirect the user to the homepage.
4:03
We'll add $session-> getFlashBag().
4:08
And this time, we'll add success.
4:14
And say, User Added.
4:20
Then we'll redirect to the homepage.
4:25
Let's try adding a user.
4:31
Admin and the password.
4:36
First make sure they don't match, perfect.
4:43
And then, user.
4:46
And matching passwords.
4:49
Great, it tells us that our user has
been added, but we can't log in yet.
4:53
Let's look at that next.
4:58
You need to sign up for Treehouse in order to download course files.
Sign up