Summary: In this tutorial, you will learn to store hashed passwords into the MySQL database with the help of examples.
It is generally not a good idea to store plaintext passwords in a database. If an attacker were to gain access to the database, they would be able to see all of the user’s passwords in plaintext.
Instead, you should store the passwords in a hashed format. Hashing is a one-way process that takes in a password and produces a fixed-size string of characters (called a “hash”), which represents the original password.
To verify a user’s password, you would hash the password they entered and compare the resulting hash to the hash that you have stored in the database. If the two hashes match, then the user entered the correct password.
Here is an example of how you can store hashed passwords in a MySQL database:
First, you will need to create a table to store the user’s credentials. The table should have at least two columns: one for the username and one for the hashed password.
CREATE TABLE users (
username VARCHAR(255) PRIMARY KEY,
password VARCHAR(255) NOT NULL
);
To store a new user’s password, you will need to hash the password using a hashing function such as bcrypt. You can use the password_hash()
function in PHP to do this.
<?php
$username = 'user1';
$plaintext_password = 'mypassword';
// Hash the password using bcrypt
$hashed_password = password_hash($plaintext_password, PASSWORD_BCRYPT);
// Insert the username and hashed password into the database
$query = "INSERT INTO users (username, password) VALUES (?, ?)";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $hashed_password);
mysqli_stmt_execute($stmt);
?>
To verify a user’s password, you will need to hash the password they entered using the same hashing function, and then compare the resulting hash to the hash stored in the database. You can use the password_verify()
function in PHP to do this.
<?php
$username = 'user1';
$plaintext_password = 'mypassword';
// Look up the hashed password for the given username in the database
$query = "SELECT password FROM users WHERE username = ?";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, 's', $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $hashed_password_from_db);
mysqli_stmt_fetch($stmt);
// Compare the entered password to the password from the database
if (password_verify($plaintext_password, $hashed_password_from_db)) {
// Password is correct
} else {
// Password is incorrect
}
?>
It is also a good idea to use a “salt” when hashing passwords. A salt is a random string of characters that is added to the password before it is hashed. This makes it more difficult for attackers to crack the hashed passwords, even if they have obtained a copy of the database.
To use a salt when hashing passwords with bcrypt, you can pass it as the third argument to the password_hash()
function. The salt will be automatically generated and included in the hashed password.
$hashed_password = password_hash($plaintext_password, PASSWORD_BCRYPT, ['salt' => $salt]);