Well, I have a bunch of questions to ask, but I will start with this one.
When I read tutorials, articles or topics on the internet about security I often read the following thing:
// escape all data in variables to prevent mysql injection
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
Now my question, is it really necessary to use the mysql_real_escape_string() function when you will md5() or sha1() the password? Because I always thought you use the mysql_real_escape_string() function to escape special characters into a string by using '\'. But when you use md5() or sha1(), the password itself would be completely encrypted so you wouldn't have to use the mysql_real_escape_string() function?
Although that is correct and there are no security implications in such code, you must remain consistent if you're not going to escape passwords. Take the following as a key example as to why you must remain consistent in either escaping or not escaping: