|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-01-25 20:20 UTC] vrana@php.net
-Status: Open
+Status: Not a bug
[2018-01-25 20:20 UTC] vrana@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 00:00:02 2025 UTC |
Description: ------------ The documentation states "Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters." This is not true. The password is being truncated to a maximum length of 72 bytes. Since passwords should contain special characters, a lot of which are multi-byte, this should be clarified. This is incorrect both on the documentation for password_hash() as well as the documentation for crypt(). Test script: --------------- $pw = str_pad("", 71, 'a'); $salt = ['salt' => 'N9qo8uLOickgx2ZMRZoMye']; echo password_hash($pw . 'a', PASSWORD_DEFAULT, $salt ) . PHP_EOL; echo password_hash($pw . 'ä', PASSWORD_DEFAULT, $salt ) . PHP_EOL; echo password_hash($pw . 'ö', PASSWORD_DEFAULT, $salt ) . PHP_EOL; Expected result: ---------------- Three differnt hashes Actual result: -------------- $2y$10$N9qo8uLOickgx2ZMRZoMye5mlC/WoAmNnGP3YkHGchsBkco85S4ZC $2y$10$N9qo8uLOickgx2ZMRZoMyeWZPaNHNhngTN.zngPxYMmerH0ZknF7. $2y$10$N9qo8uLOickgx2ZMRZoMyeWZPaNHNhngTN.zngPxYMmerH0ZknF7.