C.1. Storing Passwords
You should never store cleartext passwords in a database. Instead, store the hash of the password, and use a salt for best results:
<?php /* $password contains the password. */ $salt = 'SHIFLETT'; $password_hash = md5($salt . md5($password . $salt)); /* Store password hash. */ ?>
When you want to determine whether a user has provided the correct password, hash the provided password using the same technique, and compare the hashes:
<?php $salt = 'SHIFLETT'; $password_hash = md5($salt . md5($_POST['password'] . $salt)); /* Compare password hashes. */ ?>
If the hashes are identical, you are reasonably assured that the passwords are also identical.