From the documentation:
The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
You can prefix your salt with certain strings to force PHP to use a different algorithm (e.g., $5$
to use SHA-256). Personally I recommend using Blowfish at a high number of rounds; consult the documentation for an example.
P.S. - You should not be using mysql
in your PHP code, ever. Use the improved mysqli
extension instead.