PDO Register and Login Password Matching

Question

Okay.. so to start off I only have Php 5.3 so I can\'t use bcrypt, I am not familiar with salt but an completely willing to do it if someone can help me out. I also would like t

Answer 1

With PHP version 5.3 you can and should use BCrypt.

For PHP version 5.5 and higher it is recommended to use the new password functions password_hash() and password_verify():

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

For PHP version 5.3.7 and higher there exists a compatibility pack, so you can use the functions above in exactly the same way.

For PHP versions earlier than 5.3.7 you could use the compatibility pack and change the crypt parameter from "$2y$%02d$" to "$2a$%02d$", this generates a BCrypt hash as well. It is the best you can do with older versions, the hashes will be compatible when you update to a newer PHP version.

---

When you want to verify the password, you cannot do this in the SQL statement directly. In a first step you have to get the stored password-hash from the database (with the username), then you can use this hash in the function password_verify(). The password_verify() function needs to extract the salt from the stored hash.