[eluser]BrianDHall[/eluser]
Oooo, I see your problem I think.
OK, SHA1() is a one-way hashing encryption concept. It turns "password" into an irreversable 'hash', or big lump of characters. So when you store the password the first time you don't store it in plain text, you store it as $store_value = sha1($submitted_password).
Then to see if the person provided the right password you do something like:
Code:
if (sha1($submitted_password) == $database_password_field)
{ // password was valid!}
The 'safety' of using features like sha1() is if someone gets a keep at your database password field they can't really do anything with it. So lets say they find out your admin username has a hashed password of "9boi3490939ig09jsgainoieng09309jg" - what can they do with that?
The reason for sha1 over md5 is primarily due to "collissions" - sometimes two different strings will end up having exactly the same hashed value. So lets say somehow "banana" has the same hashed value as "tomato" - someone can try to login with banana or tomato and they will be able to login just fine.
sha1 has less collisions than md5, and so is considered more secure. As to using a salt, this is a rather even more advanced security reasoning that involves invalidating attempts at dictionary hash cracks - and suffice it to say that you really don't have to use salt to be secure. Its just an extra layer of security, and you are in most cases just fine avoiding the complexity of such things if you are new to cryptography and/or programming.