English
English
One of the recommended and safest ways to verify that the user's password is correct in PHP is to use the password_verify() function. This function was introduced in PHP 5.5 and is designed to handle passwords encrypted by password_hash() . Password_verify() is safer than early plaintext comparisons or using MD5/SHA1 hashing because it supports bcrypt and other more powerful hashing algorithms.
A typical scenario where password_verify() is to compare the password entered by the user with the password hash stored in the database when logging in. Here is a basic example:
<code> <?php // The password entered by the user $inputPassword = $_POST['password']; // Hash password obtained from the database (for example, generated by password_hash() when registering)
$storedHash = '$2y$10$nOUIs5kJ7naTuTFkBy1veuEvS1ZrWgFzKtFZ7VF6hG8NqZ5U2YfHy';
if (password_verify($inputPassword, $storedHash)) {
echo "The password is correct, allow login";
} else {
echo "Password error";
}
?>
</code>
In practical applications, password hashing is generally stored in a database. During verification, you need to read the user's corresponding hash from the database and then compare it with the user's password:
<code> <?php // Suppose that the user name and password are passed through POST $username = $_POST['username']; $password = $_POST['password']; // Database connection (example uses PDO)
$pdo = new PDO('mysql:host=localhost;dbname=myapp', 'dbuser', 'dbpass');
// Query user password hash
$stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username = ?");
$stmt->execute([$username]);
$hash = $stmt->fetchColumn();
if ($hash && password_verify($password, $hash)) {
echo "Login successfully";
} else {
echo "Error in username or password";
}
?>
</code>
When using password_verify() , if you find that the old hash algorithm is no longer recommended (for example, the parameters expire), you can automatically upgrade the password hash with password_needs_rehash() :
<code> <?php $options = ['cost' => 12]; if (password_verify($password, $hash)) { if (password_needs_rehash($hash, PASSWORD_DEFAULT, $options)) { $newHash = password_hash($password, PASSWORD_DEFAULT, $options); // Update the user's hash in the database $stmt = $pdo->prepare("UPDATE users SET password_hash = ? WHERE username = ?"); $stmt->execute([$newHash, $username]); } echo "Login successfully, password hash has been updated"; } else { echo "Password error"; } ?> </code>For the maintainability of the project, it is recommended to encapsulate the password verification logic into a separate method or class to centrally manage password processing policies. For example:
<code> <?php class Auth { public static function verifyPassword($inputPassword, $storedHash): bool { return password_verify($inputPassword, $storedHash); } } ?> </code>Call method:
<code> <?php if (Auth::verifyPassword($_POST['password'], $storedHash)) { echo "Verification passed"; } else { echo "Verification failed"; } ?> </code>Do not have the password entered by the user manually and then compare it with the database. The salt value and hashing algorithm will be handled internally by password_verify() .
Avoid using old hash functions such as md5() or sha1() , which are no longer safe in the face of modern attack methods.
The hash string is irreversible and cannot be used to restore the original password.
The hash generated using password_hash() is different every time, but it can be verified by password_verify() .
Using password_verify() is one of the key links in implementing secure user authentication. It not only uses modern hashing algorithms, but also simplifies the developer's verification logic and facilitates password hashing upgrades. In actual projects, it is recommended to build a solid password verification system in combination with database operations, encapsulation logic and automatic reconstruction mechanism.
For more best practices about password_verify() and password processing, please refer to the official documentation or visit https://gitbox.net/docs/php-password-security .
