Yes, we need to salt passwords, but that’s not enough. What the library PHPass does is applying random salting, choosing the best encrypting algorithm available, iterating it a high number of times… What you propose is a good first step, but it is less secure than this library, whose author is a security expert, also the author of the famous “john the ripper”. And even your simple code isn’t not simpler than my suggested code that uses PHPass.
I’ll update the article to explain in a few words what the library does.
When allowing users to edit records I think one thng to state in the article is how to use bizrules and findbypk() to prevent users from changing rows that they do not own. Also I have found it much more secure to only ever do a initial find on PK when trying to find a record that a user is editing (when going to save or something) since finding on other attributes could lead to ambiquity opening a potential (small but possible) door for users to effect the bizrules in such a manner so as to change records that they do not own or a record not associated with that particular page/section/whatever.
Dunno if this is security or common sense though to be honest.
What you describe is the domain of Authorization, i.e. ensuring users only have access to the resources they have permissions on.
The wiki page I wrote completely skips this subject for now. It could be a section of the page, but I believe it should be on a separate page. It is a lengthy subject, and the way Yii implements it is rather complex. Maybe this wiki page could contain links to the official guide and to other wiki pages on this. I’ll look for resources.