|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22806 Autogenerated crypt salt is not random
Submitted: 2003-03-20 11:36 UTC Modified: 2003-03-31 02:59 UTC
From: anj at aps dot anl dot gov Assigned:
Status: Closed Package: *Encryption and hash functions
PHP Version: 4.3.1 OS: Solaris 8
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: anj at aps dot anl dot gov
New email:
PHP Version: OS:


 [2003-03-20 11:36 UTC] anj at aps dot anl dot gov
Ever since we upgraded to from PHP 4.1.2 to 4.3.1 (we're using Sun's iPlanet server and the nsapi BTW), the autogenerated crypt salt being returned by new accounts in our password-protected area has been "..".

Using this test script:

<?php echo crypt("1234567890"); ?>

I find that although not always the case, very often (and especially if I wait for some time before reloading) the result returned from the above is ..EXlUiP8mHCU.

I have inserted a workaround to my PHP code now, and as I don't build PHP here it would be tricky for me to test any fix, but I thought the developers ought to know about this.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-20 17:27 UTC]
Please try using this CVS snapshot:
For Windows:

I can not reproduce this.
If this happens with the latest stable snapshot, please
add your configure line here.

 [2003-03-21 17:20 UTC] anj at aps dot anl dot gov
After further testing I note that I can only see this problem when using the NSAPI interface; when run through the CGI (command-line) version it doesn't occur.  I guess that indicates the problem is with NSAPI, so I've changed the bug category to "iPlanet related".

As I said before I'm not the sysadmin for our webserver, but I am trying to get the php4-STABLE-200303202230 version installed to test - I'll report back if I succeed.

The configure line on the 4.3.1 install that definitely exhibits the problem is reported by phpinfo() as this:
'./configure' '--prefix=/opt/local/php' '--with-mysql=/usr/local/mysql' '--with-nsapi=/usr/local/iplanet/server4' '--with-config-file-path=/etc' '--enable-libgcc'
 [2003-03-23 11:29 UTC]
I cannot reproduce this. And: the nsapi module has nothing to do with crypt.
The only difference is that PHP is always reinitialized when running as cgi. Could be that it always uses same crypt salt since restarting the webserver.
 [2003-03-24 03:35 UTC]
Set to 'Open' when you really give the feedback of whether the snapshot works or not.

 [2003-03-24 03:38 UTC]
And please check the line with HAVE_RAND_R in main/php_config.h, is it defined to 1 ?

 [2003-03-27 15:03 UTC] anj at aps dot anl dot gov
This bug is present when using php4-STABLE-200303202230.

main/php_config.h does have the line
  #define HAVE_RAND_R 1

As I said before, this only occurs when I use the nsapi interface from Sun's iPlanet server (SERVER_SOFTWARE is iPlanet-WebServer-Enterprise/4.1); with the command-line/cgi interface to PHP the salt is always random.
 [2003-03-31 02:59 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Nov 29 03:05:53 2022 UTC