|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66874 Hashing gives same output for a specific string
Submitted: 2014-03-10 01:53 UTC Modified: 2014-03-10 02:10 UTC
From: amish dot mhatre dot 1993 at gmail dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 5.4.26 OS: Windows 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: amish dot mhatre dot 1993 at gmail dot com
New email:
PHP Version: OS:


 [2014-03-10 01:53 UTC] amish dot mhatre dot 1993 at gmail dot com
From manual page:

Test script:

echo "Using Salt: tRySalTIng@free ";
echo "<br><br>";

echo "1234567890: ".$ped."<br><br>";

echo "123456789123: ".$ped."\n";

echo "<br><br>";
echo "<br><br>";

echo "Using Salt: BLA&ZE11005!@98 ";
echo "<br><br>";

echo "1234567890: ".$ped."<br><br>";

echo "123456789123: ".$ped."\n";


Expected result:
Got following output:

Using Salt: tRySalTIng@free 

1234567890: tRIrkXjwVoQ4E

123456789123: tRIrkXjwVoQ4E 

Using Salt: BLA&ZE11005!@98 

1234567890: BLBaYGP/QWoPM

123456789123: BLBaYGP/QWoPM

Both gave same hashed values for above strings. Well try to checkout this bug asap because it is not at all safe regarding security point of view.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-10 02:02 UTC]
-Status: Open +Status: Not a bug
 [2014-03-10 02:02 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Your salt is triggering CRYPT_STD_DES, and as stated in the documentation:

> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).
 [2014-03-10 02:10 UTC]
And while I'm here,

Don't try to do your own password hashing. Unless you're an expert in cryptography you will get something wrong, such as not use crypt() or the salts available to it correctly.
Use in PHP 5.5+ or for earlier versions.
 [2014-03-10 02:57 UTC] amish dot mhatre dot 1993 at gmail dot com

thanks for info. Yes I went through documentation and got idea about the cryt() function.  

And thanks for the links. The function stated there meet to my requirements.
Thanks once again.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Nov 26 22:03:16 2021 UTC