|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-07-19 02:00 UTC] yohgaki@php.net
-Assigned To:
+Assigned To: yohgaki
[2014-07-19 02:05 UTC] yohgaki@php.net
-PHP Version: Irrelevant
+PHP Version: 5.5
[2017-10-24 08:13 UTC] kalle@php.net
-Status: Assigned
+Status: Open
-Assigned To: yohgaki
+Assigned To:
[2020-12-23 17:05 UTC] cmb@php.net
-Type: Bug
+Type: Feature/Change Request
-Package: hash related
+Package: *Encryption and hash functions
[2020-12-23 17:05 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Dec 02 22:00:02 2025 UTC |
Description: ------------ PASSWORD_BCRYPT truncates password longer than 72 bytes silently Test script: --------------- [yohgaki@dev tmp]$ php -r 'var_dump(password_verify("123456789012345678901234567890123456789012345678901234567890123456789012", password_hash("12345678901234567890123456789012345678901234567890123456789012345678901234567890", PASSWORD_DEFAULT)));' bool(true) [yohgaki@dev tmp]$ php -r 'var_dump(password_verify("12345678901234567890123456789012345678901234567890123456789012345678901", password_hash("12345678901234567890123456789012345678901234567890123456789012345678901234567890", PASSWORD_DEFAULT)));' bool(false) Expected result: ---------------- password_hash() should raise E_NOTICE when password is too long for it. Actual result: -------------- Silently ignores bytes larger than 72.