Please quickly check this PHP + SALT implementation - does not work?

Building on tutorials out there to implement a basic user sign up + log in system with salt. At the moment I'm using this for the sign up stage:

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    e开发者_如何学Pythonlse
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

$newpass = generateHash($_POST['newpass']);

followed by:

$sql = "INSERT INTO user SET
              userid = '$_POST[newid]',
              password = PASSWORD('$newpass'), ... etc"

This works fine.

I now want to compare input password to check for equality (in a seperate access control file):

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt)
{

    $salt = substr($salt, 0, SALT_LENGTH);

    return $salt . sha1($salt . $plainText);
}

$sql = "SELECT password FROM user WHERE
        userid = '$uid'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);


$comparepwd = generateHash($pwd, $row['password']);


if (mysql_num_rows($result) == 0 || $comparepwd != $row['password']) {

//access denied, unset session variables
}

In principle I believe this should work. I am fairly new with PHP/MySQL so I would be extremely grateful if you could advise on why it isn't working. Thanks very much!

EDIT: Just realised, is it because

INSERT INTO user SET
                  userid = '$_POST[newid]',
                  password = PASSWORD('$newpass')

the PASSWORD('$newpass') does further MySQL hasing?

Yes, the password function is a one-way hash and you shouldn't be using it really!

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_password