Create and verify password in PHP with new hashing functions

Previously, when creating a login system, I usually take users’ password input and md5 it and store in the database. Doing so seemed to be sufficient enough. However, no one can be sure that their system is not vulnerable to attacks. In the worst case when your site gets hacked, your database is stolen, using weak hashing algorithm on users’ passwords may enable hackers to easily decode such fields. Thus, since PHP 5.5, there are new functions available to help you create an verify password hash easily. Let’s learn what are they and how to use them.

Creating a password hash with password_hash

Creating a password hash in PHP > 5.5 is very simple.

$hash = password_hash('easy-password', PASSWORD_DEFAULT, ['cost' => 12]);

and if you echo the hash, you’ll see something similar to this:

echo "hash is: {$hash}";

If you run the script again (reload the browser in my case), you’ll get a new hash string (still same password input!):

This is quite strange for people who are familiar to md5. In md5, for one input, there is one output. In this case, one input generates multiple outputs. This makes the effort to create a dictionary to map easily-to-guess passwords and their hashes become worthless.

password_hash takes 3 parameters:

  1. The raw password. This is what the users enter along with their email/id to login to your application
  2. The hashing algorithms. There are a few of them you can find out here.
  3. Additional options. Additional options which most of the time consists of the cost option. In the example, I used cost = 12. Higher cost provides higher security but takes more time.

Verify the password with password_verify

To verify the validity of a password hash, we’ll use password_verify. Consider the case of user login, they will provide the raw password (without hashing). Our application will get the hash password in the database and verify if the raw password and the hash match.

If you used md5 before, the code may look like this:

if ( md5($raw_user_input) == $password_hash_in_database )
{
//ok to login
}

However, if you hash the password using password_hash, you’ll use password_verify to verify.

 

if (password_verify($raw_user_input, $password_hash_in_databaseĀ )
{
//ok to login
}

For example, in my case:

$verified = password_verify('easy-password', '$2y$12$06uHkyogkUveLLLVIFhvsOFzpBrYkZ8XIegVdwj0RtE/zI/dzfHnq');

echo "verify is: {$verified}";

The output is:

You can see that the hash was successfully verified.

That’s what I learned today. This is a part of 7 days challenges to learn one topic every day. Thanks for reading

Quick Composer Tutorial – Learn Composer PHP in 10 Minutes

I’ve been writing code in PHP for more than 5 years and it’s a shame to admit that I didn’t know composer until recently. I’ve read some tutorials but couldn’t get my head around it. IĀ  have to admin that since I code mostly small web projects (WordPress plugins…) I don’t find the need for a package manager. However, to call myself a PHP developer, I have to know its most popular package manager. In this post, I’m going to share my understanding with composer, how to get started with it so you might benefit from my experience too.

What is composer?

Composer is a package manager tool that helps you deal with PHP dependencies. Previously, when I didn’t use Composer, I mostly use include_once to include the libraries. In addition, I had to download the libraries and put to my project all by myself. It’s no longer the case with composer.

Let’s see how it works.

Installing Composer

Installing composer is simple for all environment. If you are on Windows, you can download the installation file and go through the process in just a minute. I’m not going too much into details here since there directions on https://getcomposer.org is detailed enough.

Using composer

Using composer is a very straightforward process. We first tell composer what library to include and it will get that library for us.

Start a fresh project with composer
Now we have composer installed, let’s get started and create an empty folder and type in

composer init

The console will walk you through various steps to get information about the project you want to create. I use the default option for most of the question. After finishing all the steps, composer will create a composer.json file. Open this up and you’ll see the content you’ve just entered.

 

Run composer init to create composer.json file

Here is the content of the composer.json

{
    "name": "myn/lab",
    "description": "This is a test composer project",
    "license": "MIT",
    "require": {}
}

As you can see, the “require” element is just an empty object. When we include dependencies, all of them will be listed here.

 

Adding libraries to composer

Now, we have a composer project. Let’s add a library and use it. I’m going to include a logging library called monolog in the project. You can find details about that project here.

To get the monolog library, simply run:

composer require monolog/monolog

Composer will go ahead and get monolog and also its dependencies (if any) for us.

If you check the composer.json, you’ll see it is updated:

{
    "name": "myn/lab",
    "description": "This is a test composer project",
    "license": "MIT",
    "require": {
        "monolog/monolog": "^1.24"
    }
}

Now, let’s write some code to use monolog.

Include the autoload.php file

If you notice, composer also created a folder called vendor. Inside it lies the libraries and one file called autoload.php. When creating php script, you simply include the autoload.php file to have access to all dependencies you installed.

I’m going to create an index.php in the root folder and include the autoload.php file.

<?php

require 'vendor/autoload.php';

use Monolog\Logger;
use Monolog\Handler\StreamHandler;


$log = new Logger('test-logger');
$log->pushHandler(new StreamHandler('C:\\xampp\\htdocs\\lab\\log.txt', Logger::WARNING));

$log->warning("Testing monolog");

If I run the file now, there will be a log.txt file created at C:\xampp\htdocs\lab with the below content:

 

[2018-12-10 09:55:15] test-logger.WARNING: I do some test [] []

You may wonder how do I know to type in the code in the php file? Well, the maker of monolog provides example code on the library page on packagist.

Conclusion

Now I have a basic understanding of composer, the PHP package manger. I hope this post can help you understand composer a bit better. I still have a lot to learn and I’ll share all my findings here with you.