If your application is only calcullating md5 when someone registers on your site, or is logging in, own many calls to md5 will you do per hour ? Couple of hundreds ? If so, I don’t think the really small difference between PHP and MySQL will be significant at all.

The question should be more like “where do I put the fact that password are stored using md5” than “what makes me win almost nothing”.

And, as a sidenote, another question could be : where can you afford to spend resources for that kind of calculations ? If you have 10 PHP servers and one DB server already under heavy load, you get your answer 😉

But, just for fun :

mysql> select benchmark(1000000, md5('test'));
+---------------------------------+
| benchmark(1000000, md5('test')) |
+---------------------------------+
|                               0 |
+---------------------------------+
1 row in set (2.24 sec)

And in PHP :

$before = microtime(true);
for ($i=0 ; $i<1000000 ; $i++) {
    $a = md5('test');
}
$after = microtime(true);
echo ($after-$before) . "\n";

gives :

$ php ~/developpement/tests/temp/temp.php
3.3341760635376

But you probably won’t be calculating a million md5 like this, will you ?

(And this has nothing to do with preventing SQL injections : just escape/quote your data ! always ! or use prepared statements)