[eluser]Jondolar[/eluser]
If your code is encoded (zend, ioncube), you can hard-code a non-random salt string and combine it with the username. This gives you the added benefit that if your database is stolen and someone wants to take the time to try to guess that you used the username as the salt, they still can't create a hash table. Even if your hard-coded salt string is not encoded, it can protect you if your database is compromized but your code is not.
Example:
$key = 'aksjdfkwierieujksdkjfdkeurie3948398493'; // hard coded, used multiple places
$salt = sha1(.$_POST['username'].$key);
$hash = sha1($salt.$password)
Don't store your salt in the database, use a random salt stored in the database, such as user, email, random text that is stored with the record. Then add an additional key (not really a salt) that is not stored in the database. If you can encode your code, even better (but not very common, I guess).
