How to Secure User Passwords in PHP with password_hash

Passwords are a critical security element in modern web applications, and protecting them is essential; hashing passwords makes the original value unrecoverable, so even if a database is compromised, attackers cannot obtain the plain passwords.

PHP offers the password_hash function, which takes the raw password as the first argument and a hashing algorithm constant (e.g., PASSWORD_DEFAULT) as the second, returning a salted hash string.

$password = "myPassword";

// Hash the password using the default bcrypt algorithm
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

// Store $hashedPassword in the database
// ...

// Verify a user‑provided password
if (password_verify($inputPassword, $hashedPassword)) {
    echo "密码匹配";
} else {
    echo "密码不匹配";
}

In the example, the raw password is stored in $password, then password_hash creates a hash stored in $hashedPassword, which should be saved to the database.

When a user logs in, password_verify compares the entered password with the stored hash; it returns a boolean indicating whether they match, allowing the application to accept or reject the login.

Note that password_verify expects the user‑provided password as its first parameter and the stored hash as its second; it handles the comparison internally and returns true or false.

Importantly, password_hash automatically generates a unique salt for each password and embeds it within the resulting hash, so developers do not need to manage salting manually, which enhances security.

Overall, using PHP's password_hash and password_verify functions provides a straightforward, secure method for hashing and validating passwords, helping to protect user credentials against leaks.