I'm deploying a classic hashing protection for user passwords. The submitted password on login is salted, hashed, and then compared to the already stored hash in the database.
But instead of using a PHP function call to compare the now hashed user input and the stored hash, the comparison is done in database - more precisely, using a
WHERE clause (NOTE: the salt is already known for various reasons at the time this comparison begins, but the password is not).
Since usernames are unique, the following query effectively tells if the username + password pair is a match or not:
SELECT * FROM `users` WHERE `password`='$password_hash' AND `username`='$username';
Is this approach vulnerable to timing attacks?
EDIT: SQL injection is not a concern, it is taken care of.