There are some points that can be improved, but first i would recommend to use PHP's new function password_hash(). This function will generate a safe salt and includes it in the resulting hash-value, so you can store it in a single database field. There exists also a compatibility pack for earlier versions.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Some thoughts about your code:
- You generate a BCrypt hash with crypt(), so the salt will be part of the resulting hash. There is no need to store it separately.
- The generation of the salt can be improved, use the random source of the operating system MCRYPT_DEV_URANDOM.
- If you would change the cost factor to 9, the format would become invalid, because crypt expects two digits.