PHP :: Bug #44133 :: Encrypting then decrypting a string results in unidentical strings.

Bug #44133	Encrypting then decrypting a string results in unidentical strings.
Submitted:	2008-02-15 22:20 UTC	Modified:	2008-02-18 23:34 UTC
From:	squinky86 at gmail dot com	Assigned:
Status:	Not a bug	Package:	mcrypt related
PHP Version:	5.2.5	OS:	Linux and Windows
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-02-15 22:20 UTC] squinky86 at gmail dot com

Description:
------------
When I mcrypt_encrypt() a string, then immediately mcrypt_decrypt() the string, the result is two strings that appear identical but are not.

Reproduce code:
---------------
Due to having multiple test cases for this bug, I have posted the code to:
http://www.phpfreaks.com/forums/index.php/topic,182537.msg815864.html
Note also that since the posting of this issue, I have noted the following:
strlen($toEncrypt) == strlen($decrypted) == 13
ord($toEncrypt[$i]) == ord($decrypted[$i]) for all $i = 0..12

For all intensive purposes, the strings are identical, but PHP does not define them as such.

Expected result:
----------------
The strings should be identical after encryption and decryption

Actual result:
--------------
The strcmp() function returns "-3". The == operator returns "false".

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-02-16 00:02 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

That\'s because the IV needs to be the same for encrypting as well as decrypting.

[2008-02-18 16:43 UTC] squinky86 at gmail dot com

It does the same thing when iv is the same.

[2008-02-18 16:44 UTC] squinky86 at gmail dot com

Note that the most curious aspect of it is that two seemingly identical strings, that have the same ord() and strlen(), do not compare as identical.

[2008-02-18 23:34 UTC] rasmus@php.net

Did you actually check the strlens?

eg.

0000000   S   e   e       S   p   o   t       R   u   n   .  \n   S   e
0000020   e       S   p   o   t       R   u   n   .  \0  \0  \0  \n

There are 3 null bytes on the end of the decoded version and the strlen is 16 vs. 13 for $toEncode.  This null-padding is discussed extensively in the comments for mcrypt_decrypt in the manual.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Mar 26 15:01:30 2025 UTC