Hashing your data, twice
I'm writing too much junk apparently, so here is a idea I had that would solve a lot of SQL injection damage.
Instead of hashing your passwords with md5($password), or instead of the safer md5(md5($password)), or even instead of md5(md5($password).md5($salt)), why not try md5(base64_encode($password))? Not used enough! I'm talking about websites where the source code isn't open for the public (exit: any free PHP CMS that isn't modified on the password storing part).
The scenario I'm talking about is the one where your website gets hacked, owned or roflz0rsyousuckpwned, through a method that doesn't involve executing system commands, but rather stays on the level of the web application. The first two on the top of my head are SQL injection and XSS.
So, the hacker used SQL injection on index.php, like this:
/index.php?id=1' UNION SELECT password FROM userTable
Alright, he has just retrieved a password that is most likely hashed, with SHA1 or md5, in 90% of the occasions. If the attacker is dedicated to his job, he'll open up some sweet cracking tool and start reversing it. Now, if you had a weak password, or your co-administrator had one, the attacker will be able to log in. Now, since the attack didn't involve any source code reading, the attacker will not know what way the password was hashed, md5 was an easy job since it contained 32 chars, a - f and 0 - 9. Double hashing would work good, but thinking on the level of a scriptkiddy: PasswordsPro cracks this. So, here comes the fun: just hash your password like this (play with it, base64_encode(rot13()) in the middle would be fun too :-) ):
md5(base64_encode($password))
Providing your attacker doesn't have your source code, try this method, even after an attack there won't be a way to recover the password.
Note: this method isn't new, just reminding.