<div>
<div class="content wysiwyg-content">
I am making a database with user information in it. My question is when adding a salt it should be unique/random (In every example i see substr(uniqid... etc)) but - could you just use a salt which is a substr of the MD5 hash of the password itself? Also, the whole idea of hacking the passwords is all good but the literature on it seems to be talking about using rainbow tables on the list of passwords - but if the hacker has hacked into the server to get the list of passwords then those passwords would also be in the same database as the user information so he would also have that anyway surely so wouldnt want the passwords??? (notice below using md5 and sha1 combo - does this increase security?), Viz:<br />

<pre><code id="code-404850">function validateLogin($user,$pass)
{
	$sqlSafeUser = this-&gt;makeSafe($user);
	$sqlSafePass = this-&gt;makeSafe($pass);
	$hashpass = this-&gt;getHashPass($sqlSafePass);
//more code
}
function getHashPass($string)
{
	$passLength = count($string);
	$salt = substr(md5($string),$passLength,32);
	$hashedPass = sha1(&quot;/?3&quot;.$salt.&quot;$%^&quot;.$string);
	return $hashedPass;
}
</code></pre>
</div>
</div>


I am making a database with user information in it. My question is when adding a salt it should be unique/random (In every example i see substr(uniqid... etc)) but - could you just use a salt which is a substr of the MD5 hash of the password itself? Also, the whole idea of hacking the passwords is all good but the literature on it seems to be talking about using rainbow tables on the list of passwords - but if the hacker has hacked into the server to get the list of passwords then those passwords would also be in the same database as the user information so he would also have that anyway surely so wouldnt want the passwords??? (notice below using md5 and sha1 combo - does this increase security?), Viz:

Password Salt

PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Encryption

Web development can range from developing the simplest static single page of plain text to the most complex web-based internet applications, electronic businesses, and social network services using a wide variety of languages and standards, including the familiar HTML, JavaScript and jQuery, ASP and ASP.NET, PHP, ColdFusion, CSS, PHP, Flex and Flash, but also the implementation of a broad list of standards including XML, WSDL, SSDL, VoiceXML and many more.