I am learning PHP and have been looking into a suitable way to safely store password data in MySQL.
Following advice from here (How do you use bcrypt for hashing passwords in PHP?), is this an acceptable way to deal with passwords?
The code is a very basic example and I haven't included things like error checking / checking if user already exists etc. to keep my example concise.
Register User:
$fld_email = $_POST['fld_email'];
$fld_name = $_POST['fld_name'];
$fld_pwd = $_POST['fld_pwd'];
$hashToStoreInDb = password_hash($fld_pwd, PASSWORD_BCRYPT, array("cost" => 11));
$sql = "INSERT INTO tbl_a_users (fld_email
, fld_name
, fld_pwd
, fld_date)
VALUES (:fld_email
, :fld_name
, :fld_pwd
, now())";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':fld_email', $fld_email);
$stmt->bindParam(':fld_name', $fld_name);
$stmt->bindParam(':fld_pwd', $hashToStoreInDb);
$stmt->execute();
Process Login:
$fld_email = $_POST['fld_email'];
$fld_pwd_form = $_POST['fld_pwd'];
$stmt = $pdo->prepare('SELECT fld_pwd FROM tbl_a_users WHERE fld_email = :email');
$stmt->bindParam(':email', $fld_email);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_OBJ);
$isPasswordCorrect = password_verify($fld_pwd_form, $row->fld_pwd);
if ($isPasswordCorrect == true) {
// do something
} else {
// do something else
}
There is no error message here, but I wanted to check with experts about whether this is an acceptable approach before I continue work on this area.
