Thanks for the feedback. This should do the trick, I hope.
I think that I haven't understood this sentence completely "In this case you will need the salt to reside in the database along with the username and password." As in, were you refering to previous method, this method or this function.
Salt already resides in database along with username, password, or any string you decide to hash. This function just scrambles it depending on length of string (password) user enters so that attacker has trouble finding out what is salt and what is hash, if attacker even suspects that there is salt (reasons behind $keepLength, or defining $hSLength where you could set it to 24 leading attacker to believe he's facing sha256, not sha1).
<?php
function obscure ($hString, $hDecode = NULL, $hSLength = 10, $keepLength = NULL, $minhPass = 10, $hMethod = sha1)
{
if ($hDecode == NULL)
{
for ($i = 0; $i<16; $i++)
{
$hSalt = rand(33, 255);
$hRandomSalt .= chr($hSalt);
}
$hRandomSalt = hash($hMethod, $hRandomSalt);
}
else
{
$hRandomSalt = $hDecode;
}
if ($keepLength != NULL)
{
if ($hSLength > (strlen($hRandomSalt) - $minhPass))
{
$hSLength = (strlen($hRandomSalt) - $minhPass);
}
}
else if ($hSLength < 0)
{
$hSLength = 0;
}
$hLPosition = strlen($hString);
while ($hLPosition > $hSLength)
{
$hNumber = substr($hLPosition, -1);
$hLPosition = $hLPosition * ($hNumber/10);
}
$hLPosition = (integer)$hLPosition;
$hRPosition = $hSLength - $hLPosition;
$hFSalt = substr($hRandomSalt, 0, $hLPosition);
$hLSalt = substr($hRandomSalt, -$hRPosition, $hRPosition);
$hPassHash = hash($hMethod, ($hLSalt . $hString . $hFSalt));
if ($keepLength != NULL)
{
if ($hSLength != 0)
{
$hPassHash = substr($hPassHash, $hLPosition, -$hRPosition);
}
}
return $hFSalt . $hPassHash . $hLSalt;
}
?>
