[UPDATE: Added a PHP version clarification at the end of the post.]
Managing dependencies via Composer is one of the most
revolutionary advancements in the history of PHP. Composer packages are frequently
hosted on Github, listed on
Packagist, and required in your project via the
require field in composer.json
.
So Where is phpass?
What happens when that’s not the case? One library of note,
phpass, is not available on Github (or any
other supported VCS)1 and therefore can’t simply be added to the require
field for easy installation. All is not lost, however, thanks to Composer’s
package repository
feature2.
Behold, Composer’s ‘Package’ Repository!
After reviewing the package repository docs, I found it ridiculously easy to require phpass in my project. Here’s what you have to do.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
Now you can run composer install
(or composer update
, as appropriate) and Composer will install
phpass as a project dependency. Sweet!
UPDATE - CLARIFICATION: Using phpass is only advisable for PHP versions that won’t support the new password hashing functions. That’s any version of PHP less than 5.3.7:
- PHP >= 5.5: Password hashing functions available natively
- PHP >= 5.3.7, < 5.5: password_compat provides forward compatibility
- PHP < 5.3.7: phpass is the gold standard
If you’re at PHP >= 5.3.7, enjoy this article as a Composer tip you might not have know about until now and use password_compat. If you’re at PHP < 5.3.7, this is both a Composer tip and an admonition to upgrade you password security. Do it!
Many thanks to Meroje and @craig_bass for pointing out that password_compat is superior, making it clear that I needed to post a clarification.
-
Yes, there are phpass repos on Github, but Anthony Ferrara recommends against them. When Anthony talks security, I listen.↩
-
Be aware, there are significant drawbacks to this method (noted at the bottom of the Package documentation), but sometimes it’s the only way.↩