|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55036 Have crypt() throw E_WARNING when salt parameter missing
Submitted: 2011-06-11 21:00 UTC Modified: 2015-05-24 06:12 UTC
Avg. Score:4.7 ± 0.7
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:1 (20.0%)
From: ss23 at ss23 dot geek dot nz Assigned: yohgaki
Status: Closed Package: *Encryption and hash functions
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
 [2011-06-11 21:00 UTC] ss23 at ss23 dot geek dot nz
Currently, you can call crypt('foo') without any problems, however, given how 
useless that is for anything, it's a security risk if someone was actually to do 

Test script:

Expected result:
Warning: crypt() expects at least 2 parameters, 1 given

Actual result:
Works fine


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-11 23:55 UTC] ss23 at ss23 dot geek dot nz
Another possible way to "fix" the security risk here would be to choose a sane 
hash as a default. Now that they're built in, it shouldn't be a problem to do 
 [2013-07-31 04:08 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2013-07-31 04:08 UTC]
Users' PHP 5.5 or later should use password_hash()

It would be good idea raise E_WARNING, since crypt() w/o algo/hash produces very 
weak hash.
 [2015-05-24 06:12 UTC]
-Status: Assigned +Status: Closed
 [2015-05-24 06:12 UTC]
Warning is enabled in 7.0
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Oct 13 23:01:31 2015 UTC