Let's assume for a moment that an intruder has rooted your server. A hacker now has access to your DB which has salted user credentials in it. Assuming you store a unique salt string in each record, you are semi-protected as the hacker would then have to use a library of hashes for each record using the records salt to see if it gets a hit, which I guess is quite a pain but obtainable.

Certain frameworks such as CakePHP use a static salt string. As the intruder I could then very easily convert my library to that salt and have a go with your users. If something such as ionCube were used on top of CakePHP, would that just about lock it up for an attacker or would they have ability to still obtain some source code?