Hashing and Salting passwords from users using PHP

Question

I am led to believe MD5 and SHA1 aren't the best practices for dealing with passwords, therefore I want to make sure I am doing things in the most secure manner.

I don't know how to implement this, I was given a site from another "Developer" who has stored the passwords in plain text... which is why I am correcting it now.

My understanding is:

• User registers for X and enters their desired password to login at a later date.

• The details entered are submitted to a database. The password is submitted and Hashed server side, then salted.

• When the user next logs in, the password is then re hashed and compared with the entry in the existing database. If the password is correct then access is granted.

My current setup is PHP, with PHP My Admin managing the database.

Do I:

Want a separate table/database for the hashed/salted passwords? Is there an existing function in PHP I can use to hash passwords? Is it necessary to hash, salt then pepper passwords?

Thank you, I am new to PHP and want to make sure this information is kept securely"

Answer 1

PHP v5.5 provided a build in functions to authorization. Read about:

password_hash() and password_verify()

It's better to use verified components than created them by your own - especially an authorization process. Broken authorization is one of the main vulnerabilities!

Answer 2

you simply do:

 <?php
 $password = md5($_POST['password']); // or md5($_GET['password'])
  // insert into the database

then to compare on login its the same process

 $password = md5($_POST['password']);
 $login = "select username from users where password = '".$password."'";

Done :)