Does my PHP security algorithm effectively store user credentials?

Question

This question is about a specific programming problem I am having - I want to make sure that my code (and software algorithm) are sufficient enough to store user credentials in a database.

// Get a 32 character salt like '69Mt6nexL1rsjWnu011S53MpB/WmT4Vl'
$passwordSalt = Security::generateBase64Salt();

$user = new User();
$user->setUsername($_POST['username']);

// $_POST['password'] comes in as a 128 character string
// Client side javascript is used to sha512 the string before sending it over POST
// see http://pajhome.org.uk/crypt/md5/
// This prevents novice eavesdroppers from capturing the raw password in plaintext
$user->setPassword(
    hash('sha512', $passwordSalt.$_POST['password'])
);
$user->setPasswordSalt($passwordSalt);
$user->save();

Here's the database entry for a particular password:

Password:

69a78a7586a111b8a567b2d4f42f93f01fb59d337f7fa3c35949a66b246095778c1fa01ff4026abace476091e1e9a183bbdec1c31b12ce3f786921895c98cf6f

Salt:

69Mt6nexL1rsjWnu011S53MpB/WmT4Vl

Questions:

• Are there any inherit flaws with this algorithm?
• Is it OK to store the salt in the same database and table as the salt+password hash?
• Will having a large 128 character password cause login performance issues (on a magnitude of several seconds) if I have several hundred thousand users in the table?
• Can this data be reversed to produce the original password?

For Fun:

I'll PayPal you $5 if you can provide me with the original password using the salt and salt + password hash.

Answer 1

Everything Kendall said, and ..

.. Skip the hashing that you perform client side in javascript. Instead, just buy a SSL certificate and post the credentials over https. Will protect you from novice eavesdroppers as well as seasoned attackers.

And besides, once you hash on the client side, that effectively becomes your password. If an eavesdropper gets hold off the hashed password, he can pass it to your server and things would just work.