I'm currently coding my own CMS and I'm at the state of password...

I want to know if I can md5 a password then sha1 it after?

Like:

$password = md5(sha1(mysql_real_escape_string($_POST['passw'])));

You can md5 any data you'd like, even if it was hashed before.

It will, however, only increase the risk of collisions because you're now working on a smaller dataset.

What are you trying to achieve?

Yes you can. No it doesn't make sense.

The security of chained hash functions is allways equal to or less than the security of the weakest algorithm.

i.e. md5(sha1($something)) is not more secure, than sha1($something): If you manage to break the sha1, you get the md5 for free, as shat($something) and sha1($faked_something) have the same value, and thus md5ing them will not change anything.

Make sure you add a salt in there too, this makes it much harder to use rainbow tables against your customer's/user's passwords.

Something like:

$hashedPassword = sha1(md5($password) . $salt . sha1($salt . $password));

Where salt can be a nice long random string itself, either constant across your application or a salt per contact which is stored with the user too.

You obviously can. I don't see why you couldn't.

If you want better security you should consider something like phpass.

You can do this, but there's no real benefit to it. If you're running your passwords through md5(), you'll get a bit more security from adding a cryptographic salt.

What is SALT and how do I use it? has more info on that.

The other bit of advice you may hear a lot is to not use MD5. SHA1 is comparatively stronger, and you only need to change your password field in your database to accept a 40 character string.