|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66874 Hashing gives same output for a specific string
Submitted: 2014-03-10 01:53 UTC Modified: 2014-03-10 02:10 UTC
From: amish dot mhatre dot 1993 at gmail dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 5.4.26 OS: Windows 7
Private report: No CVE-ID: None
 [2014-03-10 01:53 UTC] amish dot mhatre dot 1993 at gmail dot com
From manual page:

Test script:

echo "Using Salt: tRySalTIng@free ";
echo "<br><br>";

echo "1234567890: ".$ped."<br><br>";

echo "123456789123: ".$ped."\n";

echo "<br><br>";
echo "<br><br>";

echo "Using Salt: BLA&ZE11005!@98 ";
echo "<br><br>";

echo "1234567890: ".$ped."<br><br>";

echo "123456789123: ".$ped."\n";


Expected result:
Got following output:

Using Salt: tRySalTIng@free 

1234567890: tRIrkXjwVoQ4E

123456789123: tRIrkXjwVoQ4E 

Using Salt: BLA&ZE11005!@98 

1234567890: BLBaYGP/QWoPM

123456789123: BLBaYGP/QWoPM

Both gave same hashed values for above strings. Well try to checkout this bug asap because it is not at all safe regarding security point of view.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-10 02:02 UTC]
-Status: Open +Status: Not a bug
 [2014-03-10 02:02 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Your salt is triggering CRYPT_STD_DES, and as stated in the documentation:

> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).
 [2014-03-10 02:10 UTC]
And while I'm here,

Don't try to do your own password hashing. Unless you're an expert in cryptography you will get something wrong, such as not use crypt() or the salts available to it correctly.
Use in PHP 5.5+ or for earlier versions.
 [2014-03-10 02:57 UTC] amish dot mhatre dot 1993 at gmail dot com

thanks for info. Yes I went through documentation and got idea about the cryt() function.  

And thanks for the links. The function stated there meet to my requirements.
Thanks once again.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Dec 10 05:03:58 2022 UTC