Possible Duplicate:
Best way to prevent SQL Injection in PHP
The necessity of hiding the salt for a hash
I’m very new to MySQL and PHP, and have started self-learning it over the past couple of days and today I was looking at encryption for passwords etc. I’ve been looking through many webpages with information on the topic and most of them are saying to generate a random salt for every entry in the table (which I understand, you don’t want the same salt for every entry) and this salt should then be stored in the table alongside the entry.
From what I’ve understood (correct me if I’m wrong), the encryption of the password doesn’t prevent hackers from accessing it, rather just masks the true value if they do get access to the database. Surely if this is the case, you wouldn’t want to store the salt in the table too – if the hacker has accessed the database and can see the encrypted data, showing him the salt just makes his job of decrypting infinitely easier?
The salt isn’t used to encrypt. Instead, it goes (together with the password) into a hash function. That way, nobody (not even your application) can determine the password, but you can verify a password.
The salt is then used to require the attacker to attack each password hash individually (if the attacker wants just one password, the salt doesn’t help in any way). Thanks to rainbow tables, it is fairly easy to compute the outputs of the hash function for common passwords.
The salt value is not secret, and can be safely stored in a MySQL database (or even published).