Inloggningsskript och lösenordshash, säkerhet? [PHP/MySQL]

session_start();
include 'db_conn.php';

function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
	
	$str = stripslashes($str);
	
	}
		return mysql_real_escape_string($str);
	}
$usrname = clean($_POST['usrname']);
$pwd = clean($_POST['pwd']);
$salt = sha1(md5($pwd));
$pwd = md5($pwd.$salt);

$mysql_qry = "SELECT member_id FROM members WHERE usrname='$usrname' AND pwd='$pwd'";
$result = mysql_query($mysql_qry);

	if($result) {
		if(mysql_num_rows($result) > 0) {
			session_regenerate_id();
			$member = mysql_fetch_assoc($result);
			$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
			session_write_close();
			header("location: index.php?s=member.php");
			exit();
		}else {
			echo "Login failed!";
			exit();
		}
	}else {
		die("Query failed");
	}

session_start();
if(!isset($_SESSION['SESS_MEMBER_ID']) || 
	(trim($_SESSION['SESS_MEMBER_ID'])=='')) {
	header("location: index.php");
	exit();
}

// auth.php:
session_start();
if(!isset($_SESSION['SESS_MEMBER_ID']) || 
	(trim($_SESSION['SESS_MEMBER_ID'])=='')) {
	header("location: index.php");
	exit();
}
if (isset($_SESSION['remote_addr']) AND isset($_SESSION['last_activity'])
	AND $_SESSION['remote_addr'] == $_SERVER['REMOTE_ADDR']
	AND $_SESSION['last_activity'] > strtotime('-30 minutes'))
{
	$_SESSION['last_activity'] = time();		
}
else die('Du har blivit utloggad');
//login-exec.php:
session_start();
include 'db_conn.php';
require 'PasswordHash.php';
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
	
	$str = stripslashes($str);
	
	}
		return mysql_real_escape_string($str);
	}

$usrname = clean($_POST['usrname']);
$pwd = clean($_POST['pwd']);
$pwdHasher = new PasswordHash(8, FALSE);
$mysql_qry = mysql_query("SELECT pwd, member_id FROM members WHERE usrname='$usrname'");
$result = mysql_fetch_assoc($mysql_qry);
$hash_db = $result['pwd'];
$member_id = $result['member_id'];
$checked = $pwdHasher->CheckPassword($pwd, $hash_db);

if ($checked) {
	session_regenerate_id();
	$_SESSION['SESS_MEMBER_ID'] = $member_id;
	$_SESSION['remote_addr'] = $_SERVER['REMOTE_ADDR'];
	$_SESSION['last_activity'] = time();
	session_write_close();
	header("location: index.php?s=member");
	exit();
	
} else {

	echo "Login failed!";
	exit();
	
}

class SessionManager {

	function __construct() {
	   // set our custom session functions.
	   session_set_save_handler(array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc'));
	 
	   // This line prevents unexpected effects when using objects as save handlers.
	   register_shutdown_function('session_write_close');
	}
	
	function start_session($session_name, $secure) {
	   // Make sure the session cookie is not accessable via javascript.
	   $httponly = true;
	 
	   $session_hash = 'whirlpool';
	 
	   // Check if whirlpool is available
	   if (in_array($session_hash, hash_algos())) {
		  // Set the has function.
		  ini_set('session.hash_function', $session_hash);
	   }
	   // How many bits per character of the hash.
	   // The possible values are '4' (0-9, a-f), '5' (0-9, a-v), and '6' (0-9, a-z, A-Z, "-", ",").
	   ini_set('session.hash_bits_per_character', 5);
	 
	   // Force the session to only use cookies, not URL variables.
	   ini_set('session.use_only_cookies', 1);
	 
	   // Get session cookie parameters 
	   $cookieParams = session_get_cookie_params(); 
	   // Set the parameters
	   session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
	   // Change the session name 
	   session_name($session_name);
	   // Now we can start the session
	   session_start();
	   // This line regenerates the session and delete the old one. 
	   // It also generates a new encryption key in the database. 
	   session_regenerate_id(true);    
	}
	function open() {
		$sess_db = new PDO('mysql:host=localhost;dbname=sec_sessions', 'sess_usr', 'password');
		$sess_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //Kommer självklart inte köra ERRMODE_EXCEPTION i skarp version
		$this->db = $sess_db;
		return true;
	}
	
	function read($id) {
	   if(!isset($this->read_stmt)) {
		  $this->query = $this->db->prepare("SELECT data FROM sessions WHERE id = ? LIMIT 1");
	   }
	   $this->query->execute(array($id));
	   $row = $this->query->fetchAll(PDO::FETCH_ASSOC);
	   $data = $row[0];
	   $data = $data['data'];
	   $key = $this->getkey($id);
	   $data = $this->decrypt($data, $key);
	   return $data;
	}
	function write($id, $data) {
		// Get unique key
		$key = $this->getkey($id);
		// Encrypt the data
		$data = $this->encrypt($data, $key);

		$time = time();
		if(!isset($this->w_stmt)) {
			$this->w_stmt = $this->db->prepare("REPLACE INTO sessions (id, set_time, data, session_key) VALUES (:id, :time, :data, :key)");
		}
		$params = array('id' => $id,'time' => $time,'data' => $data,'key' => $key);
		$this->w_stmt->execute($params);
		return true;
	}
	
	function destroy($id) {
		if(!isset($this->delete_stmt)) {
			$this->delete_stmt = $this->db->prepare("DELETE FROM sessions WHERE id=:id");
		}
		$this->delete_stmt->bindValue(':id', $id, PDO::PARAM_STR);
		$this->delete_stmt->execute();
		if ($this->delete_stmt->rowCount() > 0) {
			return true;
		} else {
			$this->errmsg .= "Failed to delete session from DB. \n";
			return false;
		}
			
	}
	function close() {
		return true;
	}
	
	function gc($max) {
		if(!isset($this->gc_stmt)) {
			$this->gc_stmt = $this->db->prepare("DELETE FROM sessions WHERE set_time < :old");
		}
		$old = time() - $max;
		$this->gc_stmt->bindValue(':old', $old, PDO::PARAM_STR);
		$this->gc_stmt->execute();
		return true;
	}
	
	private function getkey($id) {
		if(!isset($this->key_stmt)) {
			$this->key_stmt = $this->db->prepare("SELECT session_key FROM sessions WHERE id = ? LIMIT 1");
		}
		$this->key_stmt->execute(array($id));
		
		if($this->key_stmt->rowCount() == 1) { 
			$row = $this->key_stmt->fetchAll(PDO::FETCH_ASSOC);
			$row = $row[0];
			return $row['session_key'];
		} else {
			$random_key = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
			return $random_key;
	   }
	}
	
	private function encrypt($data, $key) {
		$salt = 'cH!swe!ASÖUOIFHD=(D/ASFHÖKJH(/oijhKJASas*ewr4n39=E@rAsp7c-Ph@pH';
		$key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
		$encrypted = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv));
		return $encrypted;
	}
	private function decrypt($data, $key) {
		$salt = 'cH!swe!ASÖUOIFHD=(D/ASFHÖKJH(/oijhKJASas*ewr4n39=E@rAsp7c-Ph@pH';
		$key = substr(hash('sha256', $salt.$key.$salt), 0, 32);
		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
		$decrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($data), MCRYPT_MODE_ECB, $iv);
		return $decrypted;
	}	
}