Good Code
The good version relies on PHP password APIs, which store the algorithm and cost information in the hash and can signal when rehashing is needed.
Lesson 05
Store password hashes with PHP password APIs and verify them without inventing custom hashing rules.
<?php declare(strict_types=1);
function hashPassword(string $plainPassword): string
{
// Let PHP choose the current password-safe algorithm and cost.
return password_hash($plainPassword, PASSWORD_DEFAULT);
}
function verifyPassword(string $plainPassword, string $storedHash): bool
{
return password_verify($plainPassword, $storedHash);
}
function shouldRehash(string $storedHash): bool
{
return password_needs_rehash($storedHash, PASSWORD_DEFAULT);
}<?php
// md5 is too fast and not designed for stored passwords.
$hash = md5($_POST['password']);
if ($hash === $user['password_hash']) {
$_SESSION['user_id'] = $user['id'];
}The good version relies on PHP password APIs, which store the algorithm and cost information in the hash and can signal when rehashing is needed.
The bad version uses a fast hash that is not designed for passwords, and it couples login success directly to session mutation.