password_hash() handles salting and algorithhm selection for you, its baked into PHP, just use it and don’t worry about how to hash and salt.
$HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT);
//
//$HashedPassword The result will always be a 60 character string, or FALSE on failure. The string incorporates the algorithm used, cost and salt as part of the returned hash.
//You store the string in your db (no need to sepeeratly store salt) and then use it to verify passwords later.
//Future hashing may return more than 60 characters if the defautl algorithm moves away from bcrypt, so you should store in a db column that can take 255 characters
//To verify it:
if (password_verify($UsersEnteredPassword, $HashedPassword))BCRYPT output uses a fixed limited character set and is OK to use directly in SQL strings.
If you need to force to fixed settings
//Normally password_hash() picks the algorithm, cost and salt for you and stores it within the hash. However if you need fixed settings for some reason you can use like this
$HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT, ['cost' => 10, 'salt' => ':bKRL@`8Ax]k7G7DM^6g&efeU52H/-p']);
if ($HashedPassword == FALSE )
return;
USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.