|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65093 password_hash ignores salts with spaces
Submitted: 2013-06-21 22:37 UTC Modified: 2013-06-24 00:15 UTC
From: michael at squiloople dot com Assigned: ircmaxell (profile)
Status: Not a bug Package: hash related
PHP Version: 5.5.0 OS: Windows Vista SP2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
22 + 21 = ?
Subscribe to this entry?

 [2013-06-21 22:37 UTC] michael at squiloople dot com
When manually setting a salt which contains spaces the function ignores it and 
automatically generates its own.

Test script:
  echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 'thisisatestthisisatest'));

  echo '<br>';

  echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 'thisisatestthisis test'));

Expected result:
$2y$10$thisisatestthisis tesOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO

(with the part after the salt being whatever it would be)

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-22 05:48 UTC]
I think it's only a documentation problem which should explains which are the allowed characters in the salt (from code: a-z A-Z 0-9 . /)

(notice: It is strongly recommended that you do not generate your own salt for this function)
 [2013-06-22 12:36 UTC] michael at squiloople dot com
Would it be worth then having an error or a boolean/null return value rather than 
have it "fail" silently? If at any point the allowed characters for the salt were 
to extend then past hashes (where a salt was generated by the developer with 
previously invalid characters) would be broken.

If you give the developer the option to provide a value then surely it should be 
either accepted or denied rather than just ignored.
 [2013-06-24 00:07 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2013-06-24 00:15 UTC]
-Status: Assigned +Status: Not a bug
 [2013-06-24 00:15 UTC]
This is not a bug. This is as designed.

The reason is that crypt requires a salt that's base64 encoded. A space 
character is not a valid character in the salt. Therefore, password_hash will 
attempt to use the salt directly (if it's valid in the base64 character set). 
But any character outside a-zA-Z0-9./ and it'll base64 encode the salt first. 
You can test this yourself:

echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 
'thisisatestthisis test'));
echo "\n";
echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 
'thisisatestthisis test'));

Produces the same result twice in a row:


Which indicates that it's actually encoding the salt you pass in, rather than 
generating a random one.

So it's still using your salt, and it's most definitely not failing.

Closing as Not A Bug. Thanks for the report!
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Jan 23 04:03:35 2022 UTC