How to sign in after hashing pw with salt? <==EDITED VERSION #2 ==>

Question

This is my 2nd edit on this. I've been banging my head against the wall for few days now and feel like I am very close. I've tried many different versions of this third code chunk and just can't get it. Any idea of what I'm doing wrong ( Its the third code chunk that is changed )

if(!$error) {
    $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
    $rand = str_shuffle($alpha);
    $salt = substr($rand,0,40);
    $hashed_password = sha1($salt . $_POST['Password']);
    $query = "INSERT INTO `Users` (
                `FirstName`,
                `LastName`,
                `Email`,
                `Password`,
                `salt`,
                `RelationshipToCF`,
                `State`,
                `Gender`,
                `Birthday`,
                `Status`
        )VALUES(
                '" . mysql_real_escape_string($_POST['firstName']) . "',
                '" . mysql_real_escape_string($_POST['lastName']) . "',
                '" . mysql_real_escape_string($_POST['email']) . "',
                '" . $hashed_password . "',
                '" . $salt . "',
                '" . mysql_real_escape_string($_POST['RelationToCF']) . "',
                '" . mysql_real_escape_string($_POST['State']) . "',
                '" . mysql_real_escape_string($_POST['sex']) . "',
                '" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
                'pending'
    )";
    mysql_query($query, $connection);

Here is the method I am using to update existing passwords:

$query = "SELECT * FROM `Users`";
$request = mysql_query($query,$connection);
while($result = mysql_fetch_array($request)) {
    $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
    $rand = str_shuffle($alpha);
    $salt = substr($rand,0,40);
    $hashed_password = sha1($salt . $result['Password']);
    $user = $result['id'];

    $query2 = "UPDATE `Users` SET `salt` = '$salt' WHERE `id` = '$user'";
    $request2 = mysql_query($query2,$connection) or die(mysql_error());
    $query3 = "UPDATE `Users` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
    $request3 = mysql_query($query3,$connection) or die(mysql_error());
}

So now I want to allow the user to sign in with the password they signed up with and at this point they can only sign in with the hashed password. Obviously this has not been applied to the real database quite yet.

Here is the query on the sign in pages that I am going to need to alter:

    if(isset($_POST['subSignIn']) &&
       !empty($_POST['email']) &&
       !empty($_POST['password'])) {

        $email = mysql_real_escape_string($_POST['email']);
        $password = mysql_real_escape_string($_POST['password']);
        $query = "SELECT
             `id`,`email`,`password` FROM `Users`
             WHERE `Email` = '" . $email . "' AND
             `Password` = '" . $password . "'  &&
             `Status` = 'active' LIMIT 1";
        $request = mysql_query($query,$connection) or die(mysql_error());

        if(@mysql_num_rows($request)) {

            $result = mysql_fetch_array($request);
            $_SESSION['LIFE']['AUTH'] = true;       
            $_SESSION['LIFE']['ID'] = $result['id'];

$query = "UPDATE `Users` SET` LastActivity` = '" . date("Y-m-d") ." " . date("g:i:s") . "'   WHERE `id` ='" .mysql_real_escape_string($_SESSION['LIFE']['ID']) . "' LIMIT 1";

            mysql_query($query,$connection);

            if(!empty($_POST['return'])) {          
                header("Location: " . $_POST['return']);        
            }else{
                header("Location: Dashboard.php?id=" . $_SESSION['LIFE']['ID']);
            }
        }else{
            $_SESSION['LIFE']['AUTH'] = false;      
            $_SESSION['LIFE']['ID'] = false;    
        }

I have been scouring the webernet for methods but figured I would take advantage of all the great minds on here and fish for a suggestion/method/tutorial/point in the right direction

<==My attempt after the original 5 answers==>

 i

f(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


    $query = "SELECT id FROM cysticUsers WHERE Email = '$email' AND Password = SHA1(CONCAT(salt,'$password')) AND Status = 'active' LIMIT 1";
    $request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

        $row = mysql_fetch_assoc($request);
        if (sha1($row['salt'] . $_POST['password']) === $row['password']) {


        $_SESSION['CLIFE']['AUTH'] = true;
        $_SESSION['CLIFE']['ID'] = $result['id'];

        // UPDATE LAST ACTIVITY FOR USER
        $query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
        mysql_query($query,$connection);

        if(!empty($_POST['return'])) {
            header("Location: " . $_POST['return']);

        }else{
            header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
            }
        }

    }else{

        $_SESSION['CLIFE']['AUTH'] = false;
        $_SESSION['CLIFE']['ID'] = false;

    }
}

?>

Answer 1

I don't have time to go through the whole blocks of code, but basic salt / hash validation is as follows:

$user         // User has a $password and a $salt. $password = hash($plaintext . $salt);
$password     // Password we are checking.
return $user->password == hash($password . $user->salt);