How do I hash a password that goes into a database?

Question

$useremail = mysqli_real_escape_string($link, $_REQUEST['useremail']);
$password = mysqli_real_escape_string($link, $_REQUEST['password']);
$confirm_password = mysqli_real_escape_string($link, $_REQUEST['confirm_password']);
$f_name = mysqli_real_escape_string($link, $_REQUEST['f_name']);
$l_name = mysqli_real_escape_string($link, $_REQUEST['l_name']);
$grade_level = mysqli_real_escape_string($link, $_REQUEST['grade_level']);

// Attempt insert query execution
$sql = "INSERT INTO Users (useremail, password, f_name, l_name, grade_level) VALUES ('$useremail', '$password', '$f_name', '$l_name', '$grade_level')";

if ($_POST["password"] === $_POST["confirm_password"])......

I've tried to change the code to include the HASH_PASSWORD but I don't believe I am doing it right.

**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. — tadman, Apr 23 '19 at 19:50

Sentry · Answer 1 · 2019-04-23T19:55:20.533

2

First at all: Please try to use PDO in addition to prepared statements. It is newer and safer. For hashing a string you can use following code:

$hashpassword = password_hash($yourpassword, PASSWORD_DEAULT);

For checking if an input is the same as the hash you can use:

password_verify($yourinput, $dbpassword);

This returns a boolean: So true or false

edited Apr 23 '19 at 19:55

answered Apr 23 '19 at 18:37

Sentry

81
9

PDO is not safer (nor is it any less safe). Prepared statements are safer, and you can use them with mysqli. – Apr 23 '19 at 19:51

coder42 · Answer 2 · 2019-04-23T20:05:26.720

1

Please use PHP's built-in functions password_hash() and password_verify()to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

(Taken from Password Hashing PHP 7)

~~Also might I recommend "preparing your statements" using a PDO~~

Edit: After further reading, I agree with Red Herring... I retract my recommendation

edited Apr 23 '19 at 20:05

answered Apr 23 '19 at 18:37

coder42

92
10

Why not just prepare his statements using mysqli? – Apr 23 '19 at 19:53

How do I hash a password that goes into a database?

2 Answers2