Well, password_hash()
is basically just a nicer implementation of the crypt()
function, using the Blowfish algorithm by default:
crypt('somepassword', '$2y$10$randomlygeneratedsalt$');
The crypt()
function returns a string that looks like this:
$2y$10$randomlygeneratedsalte2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi
It uses $
delimiters to separate the segments:
- Algorithm
- Cost
- Salt/hash combination
From the documentation (emphasis is mine):
[...] Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". [...] The two digit cost parameter [...] must be in range 04-31 [...]
The hash itself is a base64 encoded string using .
and /
as the two last characters.
In other words, a hash generated by password_hash()
contains:
[a-zA-Z0-9$/.]
And it is 60 characters long.
I do not know why you would want to sanitize it (a hash should never be modified, so there should not be anything to sanitize), but something like this should work:
$sanitized = filter_var($hash, FILTER_CALLBACK, ['options' => function($hash) {
return preg_replace('/[^a-zA-Z0-9$\/.]/', '', $hash);
}]);