php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #55036 Have crypt() throw E_WARNING when salt parameter missing
Submitted: 2011-06-11 21:00 UTC Modified: 2015-05-24 06:12 UTC
Votes:7
Avg. Score:4.7 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:1 (20.0%)
From: ss23 at ss23 dot geek dot nz Assigned: yohgaki (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ss23 at ss23 dot geek dot nz
New email:
PHP Version: OS:

 

 [2011-06-11 21:00 UTC] ss23 at ss23 dot geek dot nz 
Description:
------------
Currently, you can call crypt('foo') without any problems, however, given how 
useless that is for anything, it's a security risk if someone was actually to do 
this.

Test script:
---------------
<?php
crypt('foo');

Expected result:
----------------
Warning: crypt() expects at least 2 parameters, 1 given

Actual result:
--------------
Works fine

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-11 23:55 UTC] ss23 at ss23 dot geek dot nz 
Another possible way to "fix" the security risk here would be to choose a sane 
hash as a default. Now that they're built in, it shouldn't be a problem to do 
this.
 [2013-07-31 04:08 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2013-07-31 04:08 UTC] yohgaki@php.net 
Users' PHP 5.5 or later should use password_hash()
http://php.net/manual/en/ref.password.php

It would be good idea raise E_WARNING, since crypt() w/o algo/hash produces very 
weak hash.
 [2015-05-24 06:12 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2015-05-24 06:12 UTC] yohgaki@php.net 
Warning is enabled in 7.0
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 02 01:01:29 2025 UTC