Secure Your PHP Apps: Mastering password_hash for Safe Password Storage

Passwords are critical assets in today’s networked world, and protecting them is especially important for PHP developers. Hash functions transform an input into a fixed‑length, irreversible string, so even if a database is compromised, the original passwords cannot be recovered.

PHP provides the password_hash function to simplify secure password hashing. It accepts the plain password as the first argument and a hashing algorithm identifier (e.g., PASSWORD_DEFAULT) as the second argument. The function automatically generates a unique salt for each password and embeds it in the resulting hash.

Below is a complete example that shows how to hash a password, store the hash, and later verify a user’s input:

$password = "myPassword";
// Use the default bcrypt algorithm to hash the password
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);

// Store $hashedPassword in the database (implementation omitted)

// Verify the user‑provided password during login
if (password_verify($inputPassword, $hashedPassword)) {
    echo "密码匹配"; // Password matches
} else {
    echo "密码不匹配"; // Password does not match
}

The verification step uses password_verify, which takes the user’s input and the stored hash, compares them securely, and returns a boolean indicating whether they match.

Key points to remember: password_hash automatically handles salting; developers do not need to manage salts manually.

The generated hash contains both the salt and algorithm information, making future verification straightforward.

Always use password_verify for checking passwords; never compare hashes with simple string equality.

By adopting password_hash and password_verify, PHP applications can significantly improve password security and reduce the risk of credential leaks.