Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
There are many ways a user can secure their passwords when storing them in a database, however bcrypt is the defacto standard.
Documentation
password_hash() - PASSWORD_DEFAULT currently defaults to PASSWORD_BCRYPT and is used to create new password hashes using the CRYPT_BLOWFISH algorithm.
This will always result in a hash using the "$2y$" crypt format, which is always 60 characters wide.
Supported Options:
- salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated. If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
- cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page. If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
More about the Modular Crypt Format (MCF)
It's now time to create the user,
since all our checks have passed.
0:00
We do however need to work with
our password a little bit.
0:04
PHP has a nice feature that we can use for
password hashing and for verification.
0:08
We'll be using password
hash to actually create
0:14
the password we store in the database.
0:17
This method will create
a single direction hash,
0:19
meaning this hash cannot be reversed
to see the plain text password.
0:23
The password hash function,
takes in some properties.
0:28
The first property is
the Plain text password.
0:31
The next property defines what
algorithm you want to use.
0:35
I suggest that you leave this as
password default since PHP will update
0:39
to a new default for you if the better
algorithm exists or is created.
0:44
Currently the algorithm
that is used is B crypt,
0:50
which will produce a modular
crypt format password.
0:53
The final property is an array of options.
0:56
We'll be using all the default options for
this project, but
1:00
to learn more,
you can find information in the notes.
1:03
Let's take a quick look at what a password
in modular crypt format looks like.
1:07
[SOUND] The first part states that this is
a B crypt hash in Modular Crypt Format.
1:12
Modular Crypt Format or MCF is a standard
for encoding password hash strings,
1:17
other options the password
may start with are 2A or 2B.
1:24
The next part of the hash is the cost.
1:29
This defines how many iteration
is over the hashing you want.
1:32
This iteration count will be two
to the exponent of cost value.
1:36
Typically, this cost is ten and
that's fine.
1:40
But if your computer hardware can handle
more you can increase this value.
1:43
Third in the string is the saw
that is used for hashing.
1:48
The last part of the string
is the resulting hash.
1:52
The plain text of the user
password is never stored.
1:55
Once you put all that together, you
will receive a 60 character string that
1:59
you can safely store in your database.
2:04
Now with our understanding
of password hash,
2:06
we can hash our password for
use in our database.
2:09
Inside our do register procedure.
2:13
We're going to add
$hashed = password_hash,
2:15
we'lll pass password, and
2:24
then PASSWORD_DEFAULT.
2:29
Next, let's add a new
function called createUser.
2:34
We'll need the email and the password.
2:48
Again start with global $db,
And our try to catch block.
2:55
And we'll throw our exception.
3:16
For our query,
we're going to INSERT INTO USERS.
3:22
Email, password, and role_id.
3:29
We'll be using a role ID of two for
general users and a role ID of one for
3:35
administrators.
3:40
There will be more on this coming up
when we talk about authorization.
3:41
For our values,
3:46
we'll use email,
3:50
password and 2.
3:54
Prepare our query.
4:06
And bind the values
4:11
Then we execute.
4:39
And we'll return findUserByEmail and
4:42
pass the email.
4:48
This function will now return
the user if the user was created.
4:51
Let's use this function in our procedure.
4:55
$user = createUser($email,
5:02
$hashed);.
5:08
We'll make use of this user
after we handle our login.
5:11
For now, we'll just redirect
the user back to the home page,
5:15
redirect back to the home page.
5:20
Let's go back to the browser and
register a user.
5:23
You need to sign up for Treehouse in order to download course files.
Sign up