PHP, in my opinion, is one of the worlds most misunderstood programming languages. Older developers who’ve been around since its inception can remember a time when PHP didn’t have object oriented features and OOP has been around since the 60s. But today PHP is a fully functional programming language that can handle its own when paired with good programming practices. So here today I’m going to show you a small useful function in PHP used to verify passwords that have been hashed in the database. In this tutorial I will be assuming you know some PHP and MYSQL basics such as how to setup a database, connecting to the database, etc. All the code is provided in this GitHub repository, so no heavy amount of set-up is needed.
In this exercise, we will be using PHP data-objects(PDO). PDO is amazing in the fact that it provides you with a way to use the same functions to issue queries and fetch data, no matter the database you’re using. With that said let’s jump right in.
We have a simple log-in form that we will be using to submit data into our database. Assuming you’ve already set-up your database and tables, there is a query provided to insert your username and password in the “main.php” file located below the closing body tag.
After running this query it will populate your database table with the username and password you provided. Be sure to delete or comment out the previous query as it may cause log-in problems with the rowCount() function we will be using. Now you have everything it takes in order to use the password_verify function. Head back to the log-in form and type in the information you provided in the query above. Under the hood of your login form, there are various functions and forms of verification running behind the scenes. To start we take our user input and sanitize it like so….
Next step is to check if the username submitted is part of a row in the database. For this, we use a PDO prepared statement. Using this we need to check if the username corresponds to a row in the designated table associated with our database.
Now here is where all of the magic happens. We take the information that we get back from the database and insert it into an associative array.
This returns an array indexed by column name, so now you will be able to grab the password from the results. Using this password, it is now time to use the password_verify function. This function takes two inputs, the first being the password that the user submitted and the password that is currently in our $dbpassword variable. We will also be checking to see if there is more than one user in the database that shares the same username using the rowCount() function. This just returns the number of rows that were affected by the query. Now in a normal web app, you would have the user submit his or her e-mail address which would be his or her unique identifier preventing duplications from happening but for this tutorial, we will just be using a username field.
If all is well so far than it is now time to check our work, here we will set up an if statement and see if our $count variable is equal to 1 row affected, and we’ll see if our password_verify() function returns true. If everything goes as planned, we shall set a nice message in our session variable and set our header function to send us back to the homepage. Don’t forget to set your database connection to null and exit so no more code is run.
There should be a success message waiting for you and you now know how to verify user passwords using the password_verify function.
Congratulations. Don’t forget to follow and leave a comment below.