Page 1 of 1

How to use PHP's password_hash() with MySQL statements?

Posted: Tue Apr 08, 2014 11:13 pm
by tartunian
Hey guys!

I am new to both php and mysql and am trying to understand what is going on in this function below. I understand the INSERT INTO portion but the bind_param is where it send to the database? Other question, how can I implement PHP password_hash() on the $item 'password' property and then store that hash. Hopefully this is the right forum for this question. Thanks alot!

Code: Select all

public function createEmployee($item) {
	$stmt = mysqli_prepare($this->connection,
		"INSERT INTO employees (
			firstname,lastname,password,title,departmentid,officephone,cellphone, 	
			email,street,city,state,zipcode,office,photofile) 
		VALUES (?, ?, ?, ?, ?, ?,?,?,?,?,?,?,?)");
	$this->throwExceptionOnError();

	
	mysqli_stmt_bind_param($stmt, 'sssisssssssss', $item->firstname, $item->lastname, $item->password, 
		$item->title, $item->departmentid, $item->officephone, $item->cellphone,
		$item->email, $item->street, $item->city, $item->state,
		$item->zipcode, $item->office, $item->photofile
	);
	$this->throwExceptionOnError();


	mysqli_stmt_execute($stmt);
	$this->throwExceptionOnError();

	
	$autoid = mysqli_stmt_insert_id($stmt);

	
	mysqli_stmt_free_result($stmt);
	mysqli_close($this->connection);
	
	return $autoid;
  }

Re: How to use PHP's password_hash() with MySQL statements?

Posted: Tue Apr 08, 2014 11:38 pm
by requinix
The mysqli_prepare() sends a statement to the server but without data. (Optionally: you could execute regular queries too but mysqli_query() is better for those.) The question marks are placeholders for where the data would go. The server can look at the query and figure out ahead of time how to execute it. Then it waits until the client starts sending data.

In PHP, that happens with one or two steps. Here, two:
1. Pick some variables to put the data into. bind_param tells mysqli which ones you're using.
2. Execute the prepared statement. mysqli will grab the values of those variables you told it about and pass them to MySQL.
Then if you want you can change the values in the variables and execute once more, and over and over again, running the same statement each time but with different data.

So,
tartunian wrote:I understand the INSERT INTO portion but the bind_param is where it send to the database?
Close. That's step #1 above: telling mysqli of the variables it should check when executing. The actual "send to the database" part happens with the mysqli_stmt_execute() in step #2.
tartunian wrote:Other question, how can I implement PHP password_hash() on the $item 'password' property and then store that hash.
The hashed password is really just a string, so you can treat it like you would any other string: use a question mark as the placeholder for where the password value goes in the query (done) and call mysqli_stmt_bind_param() with the password variable somewhere in the arguments (kinda done).

As for the hashing part. password_hash() will give you a hash for a password. Since you wouldn't want to overwrite $item->password with the hash, use another variable.

Code: Select all

$hash = password_hash($item->password, PASSWORD_DEFAULT);
Now use that in the mysqli_stmt_bind_param() instead of $item->password and... that's it.

Oh, and make sure the employees.password column in the database is large enough to hold password hashes, like VARCHAR(255). password_hash() doesn't make any promises about how long the hash will be, but 255 characters should be plenty for the foreseeable future.

Re: How to use PHP's password_hash() with MySQL statements?

Posted: Wed Apr 09, 2014 12:31 am
by tartunian
Wow. Thank you very much requinix. Very easy understand explanation.