52
Another "fun" fact about php is about its password_hash function
This takes 2 arguments, the password that needs to be hashed and the other to say how difficult the hash needs to be.
The difficulty has an default value so you would guess you just need to write it like
Code:
passsword_hash($password);
And for a lot of functions, you would be right except for this one. To use it with its default value you instead need to write
Code:
password_hash($password,PASSWORD_DEFAULT);
Having said that, its really nice that php offers functions to work with passwords correctly in an easy to use manner.
password_hash returns a string containing a correctly hashed password (thus with salt added) the salt itself and which hash algorithm got used. Just put this in your database and you are done hashing the password.
For checking if a password matches there is the password_verify. This takes the string generated by password_hash and the password the user entered and returns a boolean and this function is even safe against timing attacks.
Thus with just using those 2 functions you are already handling passwords pretty much correctly. There is however one more utility function to make life even better and that is password_needs_rehash.
This function takes a hash generated by password_hash and looks if the used hash algorithm is still safe.
As a result you can very easily make a system that stores passwords correctly, compares passwords correctly and rehashes passwords if needed using a better algorithm whenever a user logs in.
You can say all you want about PHP but you have to admit that stuff like that is pretty cool
