How and Why to Hash Passwords in PHP

Well, bonus points for including SQL that doesn't suffer from SQL injection issues, but every one of the suggestions is wrong.<p>I'm personally confused by this comment:<p><pre><code> Note: Using MySQL's password() function in your own applications isn't recommended - the algorithm used has changed over time and prior to 4.1 was particularly weak. </code></pre> So.. if you know it's not recommended, why even include an example of it?

yikes, a php security site telling people to use sha1().<p>don't use sha1 hashes for storing passwords, use bcrypt. <a href="http://www.openwall.com/phpass/" rel="nofollow">http://www.openwall.com/phpass/</a><p>or a quick code snippet:<p><pre><code> for ($salt = "", $x = 0; $x++ &#60; 40; $salt .= chr(mt_rand(0,255))) ; $hashed = crypt($password, '$2a$08$' . hash("whirlpool", $salt));</code></pre>

I hope this article is really old...at least then the author can claim ignorance.<p>phpsec should update this article with a more secure example.