PHP - Password

the following line requires PHP 7.2 but make sure that ARGON2I is well defined if (defined('PASSWORD_ARGON2I')) { $PWD = password_hash($PWD, PASSWORD_ARGON2I); } else { $PWD = password_hash($PWD, PASSWORD_DEFAULT); } $arr = []; if (false !== $PWD) { $arr['hash'] = base64_encode($PWD); } else { // Ouch... an error has occurred $arr['hash'] = ''; } header('Content-Type: text/html'); echo json_encode($arr); die(); } elseif ('login' == $task) { // Just to make sure that the generated hash is correct $PWD = base64_decode(trim(filter_var(($data['PWD'] ?? ''), FILTER_SANITIZE_FULL_SPECIAL_CHARS))); $hash = base64_decode(trim(filter_var(($data['hash'] ?? ''), FILTER_SANITIZE_FULL_SPECIAL_CHARS))); $check = password_verify($PWD, $hash) ? '(success, hash validated)' : '(FAILURE, an error has occurred)'; header('Content-Type: text/html'); echo base64_encode($check); die(); } // Get the GitHub corner $github = ''; if (is_file($cat = __DIR__ . DIRECTORY_SEPARATOR . 'octocat.tmpl')) { $github = str_replace('%REPO%', REPO, file_get_contents($cat)); } ?> PHP - Password

Since PHP 7.x it is recommended to use the native password_hash() function (read more).

MD5 should be avoided since there are plenty of md5 dictionaries for helping to "crack" MD5 passwords like f.i. https://crackstation.net/.

Note: since password_hash() is native, therefore there are no dependencies with an external library.

Type (or paste) the character string in the textarea below and click on the Hash button; you'll get the hash of the password.
Use the password like in the code sample that will be given.

Enter below the character string you want to use as password:

The hash of {{ PWD }} gives {{ HASH }}

Sample PHP code:


// 1. For instance, retrieve the password from a protected file, outside the public folder
$hash = file_get_contents('../public/site/password.json');

// $hash now contain the resulting of password_hash("your_password", PASSWORD_DEFAULT)
// For instance $hash is equal to '{{ HASH }}'

// 2. Get the filled-in password, for instance, from a submitted form
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

// 3. And verify if the filled in password is the expected one
if (password_verify($password, $hash)) {
    echo 'You can enter to this room, the password is correct.';
}

Store for instance the hash of this password in a database or any protected file (best outside your public folder) and don't use anymore your password in plain text but just verify the hash using password_verify().

Info: the hash will start with '$2y$' when the used algorithm is BCRYPT and with '$argon2i$' when Argon2i was used (which is much better).