|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44133 Encrypting then decrypting a string results in unidentical strings.
Submitted: 2008-02-15 22:20 UTC Modified: 2008-02-18 23:34 UTC
From: squinky86 at gmail dot com Assigned:
Status: Not a bug Package: mcrypt related
PHP Version: 5.2.5 OS: Linux and Windows
Private report: No CVE-ID: None
 [2008-02-15 22:20 UTC] squinky86 at gmail dot com
When I mcrypt_encrypt() a string, then immediately mcrypt_decrypt() the string, the result is two strings that appear identical but are not.

Reproduce code:
Due to having multiple test cases for this bug, I have posted the code to:,182537.msg815864.html
Note also that since the posting of this issue, I have noted the following:
strlen($toEncrypt) == strlen($decrypted) == 13
ord($toEncrypt[$i]) == ord($decrypted[$i]) for all $i = 0..12

For all intensive purposes, the strings are identical, but PHP does not define them as such.

Expected result:
The strings should be identical after encryption and decryption

Actual result:
The strcmp() function returns "-3". The == operator returns "false".


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-16 00:02 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

That\'s because the IV needs to be the same for encrypting as well as decrypting.
 [2008-02-18 16:43 UTC] squinky86 at gmail dot com
It does the same thing when iv is the same.
 [2008-02-18 16:44 UTC] squinky86 at gmail dot com
Note that the most curious aspect of it is that two seemingly identical strings, that have the same ord() and strlen(), do not compare as identical.
 [2008-02-18 23:34 UTC]
Did you actually check the strlens?


0000000   S   e   e       S   p   o   t       R   u   n   .  \n   S   e
0000020   e       S   p   o   t       R   u   n   .  \0  \0  \0  \n

There are 3 null bytes on the end of the decoded version and the strlen is 16 vs. 13 for $toEncode.  This null-padding is discussed extensively in the comments for mcrypt_decrypt in the manual.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Feb 25 03:01:28 2024 UTC