Erudiax
PHPPHP17 min read

Password Hashing in PHP (Do It the Right Way)

Never store plain passwords. Use password_hash and password_verify with step-by-step examples.

Ethan Stone
October 25, 2025
5.3k140

Passwords should never be stored as plain text, and never with weak hashing like md5.

PHP has built-in secure functions:

  • password_hash
  • password_verify

Signup: hash password

$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $pdo->prepare("INSERT INTO users (email, password_hash) VALUES (:email, :hash)");
$stmt->execute(["email" => $email, "hash" => $hash]);

Login: verify password

$stmt = $pdo->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(["email" => $email]);
$user = $stmt->fetch();

if ($user && password_verify($password, $user['password_hash'])) {
  echo "Login success";
} else {
  echo "Invalid credentials";
}

Why PASSWORD_DEFAULT is best

It automatically chooses a strong algorithm and can improve over time with PHP updates.

Next: Build a basic authentication system using sessions.

#PHP#Security#Intermediate

More on PHP

PHP Introduction

6 min7.1k

Install PHP and Run Your First Script

8 min4.1k

PHP Syntax and Mixing with HTML

7 min5.1k