PHP :: Doc Bug #30316 :: Docs are wrong: multiple random salts supplied automatically

Doc Bug #30316	Docs are wrong: multiple random salts supplied automatically
Submitted:	2004-10-04 07:45 UTC	Modified:	2004-10-11 15:49 UTC
From:	drachma60 at ml1 dot net	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	4.3.8	OS:	FreeBSD
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	drachma60 at ml1 dot net
New email:
PHP Version:		OS:

New Comment:

[2004-10-04 07:45 UTC] drachma60 at ml1 dot net

Description:
------------
http://us2.php.net/manual/en/function.crypt.php says:

"If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security."

However, this does NOT seem to be the case, at least NOT on FreeBSD where crypt uses md5 by default.

(Aside: Also, how would I call crypt "recursively"?  "repeatedly" I can understand.  But not "recursively", as crypt is not calling itself, nor can I (via PHP code) rewrite crypt to call itself.)

Thanks!

P.S.  It looks like the documentation may have been correct before "bug" 8080 was fixed in December of 2000.


Reproduce code:
---------------
<?php

for ($i = 0; $i < 10; $i++) {
  print crypt ("password"). "\n";
}

?>


Expected result:
----------------
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0
$1$salt$qJH7.N4xYta3aEG/dfqo/0

(Summary: I would expect all the salts to be the same, as per the documentation.)

Actual result:
--------------
$1$49EUp1Z7$o9UbbesjLIgng.AMtBhuC0
$1$ppH4o1pX$LWrm5Lk6RIxVdNnR2ow741
$1$PEKufg9F$.qqFw6E2IlueP08IV2MQa0
$1$9agtuCbw$DuMMRD7ybYuB5OBmlw87E/
$1$uzXF0rxF$3V8.0dzVaxVSEh6OgoFtF0
$1$MGg.lgdp$QGmQ68mkdiDDnIDRoAPa20
$1$ZDIvcKNU$1tpYj4x63Py6NKQlvWCD21
$1$rGzlQCSP$M8mRQH4VlNU2cDfb8Y6ru.
$1$dKYZm7GZ$fQB58ZSFxm60e7Vovtma/.
$1$tyR3/3kx$uw14iqFovhETlgWfdicro0

(Summary: As you can see, the salts are different.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-10-04 12:07 UTC] vrana@php.net

There is "If you are using the supplied salt" in the manual. In your example, you are not supplying the salt but using the default one.

I changed only recursively to repeatedly.

[2004-10-11 04:19 UTC] drachma60 at ml1 dot net

Hi vrana,

Yes, I agree, there is an "If you are using the supplied salt" section in the manual.

However, I stand by my claim that the documentation does not correctly describe the current behavior of the crypt function.

In my sample code, I am not providing a salt.  Therefore, according to the documentation:

"If the salt argument is not provided, one will be randomly generated by PHP...."

"If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security."

The "supplied salt" is the "randomly generated salt".  If the supplied salt were only generated once per PHP invocation, then all the lines of the result would be the same.  However, it is obvious that the generated crypt lines are not identincal.  They are different.  Therefore, even though I am NOT supplying a salt to crypt, crypt is regenerating a new (and different) random salt each time I call it.  This is not what the documentation describes.

This regenerting behavior is the preferred behavior in that it is more secure.  Moreover, this is the behavior specifically requested by bug 8080.

However, the documentation describes the pre bug 8080 behavior.  The documentation is incorrect.

Thanks again!

[2004-10-11 15:49 UTC] vrana@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"If the salt argument is not provided, one will be randomly generated by PHP each time you call this function."

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Aug 03 19:00:03 2025 UTC