How should I hash passwords in CodeIgniter

Question

I started to use Codeigniter framework and in their new release doc's they say

DO NOT use this or any other encryption library for user password storage! Passwords must be hashed instead, and you should do that via PHP’s own Password Hashing extension.

The problem is that I use PHP 5.3 and that extension requires 5.5

What should i use for hashing in PHP 5.3?

http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php/17073604#17073604 see this best i can refer — Linus, Sep 26 '15 at 15:58
which version of PHP ? https://github.com/ircmaxell/password_compat `PHP >= 5.3.7` — , Sep 26 '15 at 16:00
https://github.com/dwightwatson/codeigniter-bcrypt this option work for me. — Amranur Rahman, Apr 06 '21 at 18:36

score 13 · Answer 1 · edited Sep 28 '16 at 15:11

13

private function hash_password($password){
   return password_hash($password, PASSWORD_BCRYPT);
}
public function registerUser($username,$email,$password){
   $data = array(
     'username' => $username,
      'email' => $email,
     'password' => $this->hash_password($password)
);
return $this->db->insert('table_name', $data);
}

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
_{Source: http://php.net/manual/en/function.password-hash.php}

edited Sep 28 '16 at 15:11

Laurel

5,965
14
31
57

answered Sep 28 '16 at 15:05

Mau Xanh Cua Linh

427
5
9

Be sure to properly attribute things in the future. – Laurel Sep 28 '16 at 15:11
I use this password-hash thing with codeigniter here http://blog.codeinsect.com/password-hashing-codeigniter/ – kishor10d Dec 05 '16 at 07:20

score -2 · Answer 2 · edited Nov 05 '19 at 07:52

You can use following library to create and verify password in codeigniter based applications. It uses PHP password_hash() and password_verify() functions. You can set cost and hashing algorithm using this library.

Load library in your constructor:

$this->load->library('password');

To create password, use:

$this->password->hash({$password});

And save the password into DB.

To verify entered password:

protected function _verify_credentials($email, $password){
    $condition = [
                'email' => $email
            ];

    $result = $this->db->from('users')
                        ->where($condition)->get();
    if($result->num_rows() === 1){
        $user = $result->row_array();
        if($this->password->verify_hash($password, $user['password'])){
            unset($user['password']);
            return $user;
        } else {
            return false;
        }
    } else {
        return false;
    }
}

score -5 · Answer 3 · answered May 31 '16 at 15:35

just my 2 cents. Easy way to hash passes.

function hashPassword($pass, $salt=FALSE) {
    //  The following will put the $salt at the begining, middle, and end of the password.
    //  A little extra salt never hurt.
    if (!empty($salt)) $pass = $salt . implode($salt, str_split($pass, floor(strlen($pass)/2))) . $salt;
    return md5( $pass );
}

Then simply do something like:

function addUser($username, $password) {
    $password = $this->hashPassword($password, $username);
    $dataIns = array(
        'username' => $username
        , 'password' => $password
    );
    if ($this->db->insert('users', $dataIns)) return $this->db->insert_id();
    return FALSE;
}

And later:

function attemptLogin($username, $password) {
    $query = $this->db->get_where('peeps', array('peepsname' => $username, 'password' => $this->hashPassword($password, $username)));
    if ($query->num_rows() == 1) {
        $user = $query->result_array()[0];
        $sess = $this->setSession($user);
        return $user;
    }
    return FALSE;

How should I hash passwords in CodeIgniter

3 Answers3