Can someone point me to a good PHP/MySQL salted hashed password implementation?

Question

After reading about salts password hashing Id like to implement a simple version for an admin area to a site Im building.

If you have any good links with code that have

Answer 1

function encodePwd($salt, $string) {
   return sha1( $salt . $string );
}

think about salt randomization for a minute though. Password encoding specifically.

If i have salt of "random" and a password of "complex", my sha1 would be

e55ec45f2873a04d2b888a5f59dd3f9d3bb25329

that's stored in the database. I want to check against that.

So when a user supplies me "complex" as a password, i tag "random" in front of it and encode it to get the same hash. If they equal, then bazinga! i'm set.

But what if that was random?

salt when it was stored: "random"

SHA1: e55ec45f2873a04d2b888a5f59dd3f9d3bb25329

salt when the user put it in: "apple"

SHA1: e07b207d77a0bd27d321552fc934b186559f9f42

how am i going to match those?

If you are looking for a more secure method, use data that you have and that is constant like the username or id of user or something (preferably something that won't change). You need a pattern you can rely on.

username would work good (you'd have to make sure to update password if they ever changed the username) that way authentication could look like

`WHERE `username` = '&username' AND `password` = '" . encodePwd( $username, $password ) . "'"`

function encodePwd( $username, $password) {
   // maybe modify username on a non-random basis? - like
   // $username = sha1( substr($username, 2)); // assuming usernames have a min-length requirement
   return sha1( $username  . $password ) ;
}