Is it a good/secure way for hashing passwords PHP

Question

I was using :

function generateHash($password) {
    if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
        $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
        return crypt($password, $salt);
    }
}

for hashing passwords but its incompatible for PHP Version lower than 5.3.7. So I created this small function to generate and verify passwords But since I am not pro in Security I want to know if it is quite secure or is still insecure.

My function:

//$hash variable is also used to check weather we are creating or verifying passwords.
function password($password,$hash=FALSE){

    $salt=array("hfuiliffa","wiaelfbs","usfewl","fr6j5","gwg8","bs4$","fgthwv");//An array of salts
    if ($hash){
        foreach ($salt as $s1)
            foreach ($salt as $s2)
                if ($s1.sha1($s2.$password)===$hash)
                return true;

        return FALSE;//If we are still here means time to return false.
    }else {
        return $salt[array_rand($salt)].sha1($salt[array_rand($salt)].$password);
    }
}

Answer 1

The best thing you can do is to use the new function password_hash() . As you already know there is a compatibility pack working for PHP version 5.3.7. upwards.

If you really need to support lower PHP versions, you can replace the crypt parameter from "$2y$%02d$" to "$2a$%02d$", this generates a BCrypt hash as well. It is the best you can do with older versions. Alternatively you can have a look at the example code at my homepage.

if (version_compare(PHP_VERSION, '5.3.7') >= 0)
  $algorithm = '$2y$%02d$'; // BCrypt, with fixed unicode problem
else
  $algorithm = '$2a$%02d$'; // BCrypt

If you absolutely need to support PHP 4.x there is no BCrypt support, in this case i would recommend to use the phpass library. BTW your scheme with the constant "salts" gives nearly no protection.