|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49954 Crypt() does not work for string < 4 character
Submitted: 2009-10-22 11:51 UTC Modified: 2011-09-13 12:21 UTC
Avg. Score:4.3 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: rgr at woodwing dot com Assigned: pajoye (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.0 OS: win32 only - Win XP 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: rgr at woodwing dot com
New email:
PHP Version: OS:


 [2009-10-22 11:51 UTC] rgr at woodwing dot com
The function Crypt() does not work with less than 4 characters in PHP 5.3.0. See the code sample below.

When using 'test' as $user_input and $password it does work correct.

Reproduce code:
From manual page: function.crypt#Examples

$user_input = 'tes';
$password = crypt('tes'); // let the salt be automatically generated

if (crypt($user_input, $password) == $password) {
  echo "Password verified!";

Expected result:
The comparison should result true.

Actual result:
The comparison returns false.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-27 13:44 UTC] vdklah at hotmail dot com
This problem is pretty bad; After PHP 5.2->5.3 migration, users having short passwords are no longer allowed to login (to our system) due to the crypt mismatch! And, even worse, they are not allowed to change their password due to the very same problem!
 [2009-10-30 12:47 UTC] carlodeboer at me dot com
We are also experiencing problems with this bug. Especially during testing and pilot studies it is quite common to have short passwords. Upgrading to PHP 5.3 is not possible with this bug since we have to support existing installations with short passwords.
 [2009-10-31 16:53 UTC]
I can't reproduce it here. Can you try using a php 5.3 VC9 snapshot please?
 [2009-11-02 20:47 UTC]
May be related to #50052. Please try a SVN snapshot.
 [2009-11-03 08:02 UTC] rgr at woodwing dot com
Hello Pajoye,

thank you for your response. I have tried the 5.3.2-dev build from snapshot and this issue is indeed fixed there. 

Good to know this is fixed in a later version.
 [2011-09-10 21:31 UTC] c dot clix at tiscali dot it
PHP 5.3.6 on WIN 32bit:

The BUG is still unsolved.
 [2011-09-13 10:19 UTC] rgr at woodwing dot com
Hello c.clix,

We tested this issue on 'win 2003 32bit' with PHP 5.3.6 and we cannot reproduce 
this issue anymore.

Could you please elaborate and provide more details how you can still reproduce 
this issue on Win 32bit with PHP 5.3.6?
 [2011-09-13 10:27 UTC]
And please try with 5.3.8, not any other version.
 [2011-09-13 12:17 UTC] c dot clix at tiscali dot it
Hi, right now I cannot test it with PHP 5.3.8

Here is my test.

Source code:


$user_input = 'tes';
$password = crypt($user_input);

if (crypt($user_input, $password) == $password) {
  echo "Password verified!";
} else {
  echo "Password NOT verified!";

echo "<br>";

$user_input = 'test';
$password = crypt($user_input);

if (crypt($user_input, $password) == $password) {
  echo "Password verified!";
} else {
  echo "Password NOT verified!";

Here is the output (I've extracted the main information with copy&paste):

PHP Version 5.3.6
System 	Windows NT T11972946 5.2 build 3790 (Windows Server 2003 Enterprise Edition Service Pack 2) i586 
Build Date 	Mar 17 2011 10:46:06
Compiler 	MSVC9 (Visual C++ 2008) 
Architecture 	x86
Configure Command 	cscript /nologo configure.js "--enable-snapshot-build" "--enable-debug-pack" "--disable-zts" "--disable-isapi" "--disable-nsapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=D:\php-sdk\oracle\instantclient11\sdk,shared" "--with-enchant=shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static"
Server API 	CGI/FastCGI
Virtual Directory Support 	disabled
Configuration File (php.ini) Path 	C:\WINDOWS
Loaded Configuration File 	C:\Program Files\PHP\php.ini
Scan this dir for additional .ini files 	(none)
Additional .ini files parsed 	(none)
PHP API 	20090626
PHP Extension 	20090626
Zend Extension 	220090626
Zend Extension Build 	API220090626,NTS,VC9
PHP Extension Build 	API20090626,NTS,VC9
Debug Build 	no
Thread Safety 	disabled
Zend Memory Manager 	enabled
Zend Multibyte Support 	disabled
IPv6 Support 	enabled
Registered PHP Streams 	php, file, glob, data, http, ftp, zip, compress.zlib, compress.bzip2, https, ftps, phar
Registered Stream Socket Transports 	tcp, udp, ssl, sslv3, sslv2, tls
Registered Stream Filters 	convert.iconv.*, mcrypt.*, mdecrypt.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, zlib.*, bzip2.* 

Password NOT verified!
Password verified!
 [2011-09-13 12:21 UTC]
download it, unzip it anywhere you, open a cmd line, run: php.exe -n 

Easy, simple :)
 [2011-09-13 12:31 UTC] c dot clix at tiscali dot it
Ok, I'll try this on a 5.3.8 very soon.

Anyway, I think it is important to understand in which version this bug was officially solved:

If it was officially fixed on a version <= 5.3.6, then it was probably not completely fixed.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 08:05:54 2022 UTC