php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55036 Have crypt() throw E_WARNING when salt parameter missing
Submitted: 2011-06-11 21:00 UTC Modified: 2013-07-31 04:08 UTC
Votes:7
Avg. Score:4.7 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:1 (20.0%)
From: ss23 at ss23 dot geek dot nz Assigned: yohgaki
Status: Assigned Package: *Encryption and hash functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-06-11 21:00 UTC] ss23 at ss23 dot geek dot nz
Description:
------------
Currently, you can call crypt('foo') without any problems, however, given how 
useless that is for anything, it's a security risk if someone was actually to do 
this.

Test script:
---------------
<?php
crypt('foo');

Expected result:
----------------
Warning: crypt() expects at least 2 parameters, 1 given

Actual result:
--------------
Works fine

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-11 23:55 UTC] ss23 at ss23 dot geek dot nz
Another possible way to "fix" the security risk here would be to choose a sane 
hash as a default. Now that they're built in, it shouldn't be a problem to do 
this.
 [2013-07-31 04:08 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2013-07-31 04:08 UTC] yohgaki@php.net
Users' PHP 5.5 or later should use password_hash()
http://php.net/manual/en/ref.password.php

It would be good idea raise E_WARNING, since crypt() w/o algo/hash produces very 
weak hash.
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Apr 28 02:01:40 2015 UTC