view raw
Kapral Kost Kapral Kost - 8 months ago 85
PHP Question

Django password in PHP

I have a problem, because I have a database with users and theirs passwords were secured with Django (pbkdf2). So '123' looks like this:


Now I need to use this passwords in PHP project and I don't have any idea how to compare them.



Let's break this down. The $ are separators:

  • pbkdf2_sh256 means PBKDF2-SHA256, i.e. hash_pbkf2('sha256', ...)
  • 20000 is the iteration count
  • MflWfLXbejfO is the salt
  • tNrjk42YE9ZXkg7IvXY5fikbC+H52Ipd2mf7m0azttk= is likely the hash.

This is all the information you need to validate the hash from PHP. You just need:

  1. hash_pbkdf2() to generate a new hash from the password provided by the user
  2. hash_equals() to compare the generated hash with the stored one

This function should work (PHP 7+):

 * Verify a Django password (PBKDF2-SHA256)
 * @ref
 * @param string $password   The password provided by the user
 * @param string $djangoHash The hash stored in the Django app
 * @return bool
 * @throws Exception
function django_password_verify(string $password, string $djangoHash): bool
    $pieces = explode('$', $djangoHash);
    if (count($pieces) !== 4) {
        throw new Exception("Illegal hash format");
    list($header, $iter, $salt, $hash) = $pieces;
    // Get the hash algorithm used:
    if (preg_match('#^pbkdf2_([a-z0-9A-Z]+)$#', $header, $m)) {
        $algo = $m[1];
    } else {
        throw new Exception(sprintf("Bad header (%s)", $header));
    if (!in_array($algo, hash_algos())) {
        throw new Exception(sprintf("Illegal hash algorithm (%s)", $algo));

    $calc = hash_pbkdf2(
        (int) $iter,
    return hash_equals($calc, base64_decode($hash));


If you need legacy PHP 5 support, removing the string prefixes and the : bool from the function definition will make it work on PHP 5.6. I don't advise trying to add backward compatibility for versions of PHP earlier than 5.6; if you find yourself in this situation, you should update your server software instead.