The best way would be to use a PHP function that hashes the password for you.
If you have PHP =>5.5.0 then you can use the Password extension. It handles everything for you so that you do not have to think about it. Unless you are an expert in the field thinking too much about it is, quite frankly, not a very good idea.
$password = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
$hashed = password_hash($password, PASSWORD_BCRYPT);
// Done!
If you have PHP <5.5.0 then there are several options, among them:
- Use the compatibility library by mr. Anthony Ferrara.
- Use another library (PHPass for example).
- Use the
crypt()
function (it is slightly bothersome to use, but works fine)
As for Javascript, no. Just, no. Password hashing should be invisible to the client, and should never leave the internal network.
Doing it in SQL may work, but I do not think it is such a good idea, especially if you have written it yourself. No offence, but writing your own hashing algorithms is rarely a good idea; you should use algorithms written by people who know what they are doing, and which have been peer-reviewed by other experts.