What happens if the user wishes to change their email?

Getting beyond that, thanks for the tut. I am now using hash(sha512) on my sites salted with the time stamp at the time they registered. Yes its stored in the database, but you have to get past the sha512 hash to get to it.

Thanks again, well done.

But am I the only one to notice in 3. Authenticating the user you actually only need a valid username? As your SQL never actually checks against the password? ^^

(You first use the username to get salt and e-mail and then match again just against the username)

I think now-a-days practically every coder knows that MD5 is indeed broke, and should use one of the SHA methods with salting. It’s interesting… Although I definitely wouldn’t recommend storing the string in the database. Heh that’s just askin’ for trouble in my eyes.

The way I encrypt is using an encryption key of a random string sha1-hashed, then hashing that hash again and using that hash as the salt and then hashing the actual users password with the salt appended. Personally I think it’s very secure haha, but I think I’d need a crypto-geek to tell me if it’s a highly secure way.

Yes I used MD5 as an example, I know MD5 is broken, I assume you had no intention to read commented code.

mysql_connect($db_host, $db_usr, $db_pass) or die(“MySQL Error: ” . mysql_error());

You also use md5 in one of your scripts. This is now broken and no longer presumed industry standard.

And the below line is unecessary as you could just use the MySql respose to identify if theres a matched record.
if(mysql_num_rows($checklogin) == 1)