secure password in php using hash_hmac

i just get one function from this site which describe that how to generate secure password using hash. function is bellow

function hash_password($password, $nonce) {
  global $site_key;
  return hash_hmac('sha512', $password . $nonce, $site_key);
}

i am using this function like

$salt = sha1(rand()); 
$salt = substr($salt, 0, 4); 
$site_key="site.com";
$pass=hash_password($pass,$salt);

it generate random text on each time. but i am unable to verify that password in database, as in database password is stored and this generate random text every time.

i want to know how can i use this function to

1. Store Password in Database at 开发者_运维技巧time of user creation
2. Verify Password from database at login

or

is there any other secure way?

Thanks

You need to store the random string ($nonce I presume) in your database as part of the data, together with the resulting hash. Otherwise, you simply don't have enough information to validate the password.

Store the random generated string along with the password into user's row on the db or hardcode the salt and use always the same salt instead of changing it everytime. If you generate a new salt then the hash will change everytime you calculate it (and since it is a random value you cannot get it back...).

By the way, why not a simple MD5?

$pass = md5( $pass.$site_key );

Edit: please don't do that (the md5 thing I mean)! Mine here is an old and wrong suggestion. Find an updated resource online and choose a secure algorithm if you need to store passwords (php now also has password hashing and verifying functions that should be secure, https://www.php.net/manual/en/function.password-hash.php, check in the comments for further suggestions).