php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72168 SHA1 generate duplicated values
Submitted: 2016-05-05 18:48 UTC Modified: 2016-05-06 03:31 UTC
From: jorge dot monge at internetbrands dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: Irrelevant OS: Ubuntu,Centos
Private report: No CVE-ID: None
View Developer Edit
 [2016-05-05 18:48 UTC] jorge dot monge at internetbrands dot com 
Description:
------------
* I have found this issue on PHP 5.3.10, 5.6.28 and 7.0.5.
SHA1 generates duplicate values when the string input begins with a Unicode Han Character even if you add some random value the output string will not change at all.

Test script:
---------------
<?php
// Array with some Unicode Han Characters
$arrCharacters = array("7e56", "7e57", "7e58", "7e59", "7e60", "7e61", "7e62");

foreach ($arrCharacters as $hanCharacter) {
    echo "Han Character: $hanCharacter \n";
    for ($i = 0; $i < 10; $i++) {
        $hash = sha1($hanCharacter + "someString" + microtime() + rand(1, 1000));
        echo $hash . "\n";
    }
    echo "************** \n";
}


Expected result:
----------------
As you can see it generates the same output string even when the input string is different.

Han Character: 7e56 
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
890e9b222a287b10a9110e14d3aa29a8d39195e5
************** 
Han Character: 7e57 
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
f2639489499e6f610cb539adfd984641791d0818
************** 
Han Character: 7e58 
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
16c9f88a6d5eecf42d85bce00df9719fab1e67bb
************** 
Han Character: 7e59 
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
2d938b3495ea5cd22ab10504da80d07353232c06
************** 
Han Character: 7e60 
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
71bd1a851c529dec0df7ecd004669eb4c5146f33
************** 
Han Character: 7e61 
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
2766b90b1cb57ab0ba78dd8481ef0b0cb9ecf82e
************** 
Han Character: 7e62 
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
99ed0560ed877c0b74b49f895b7ccd0af5a821f7
**************

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-06 03:31 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-05-06 03:31 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Quoting Sara Golemon:

The output of sha1() is the same because the inputs are the same.

They're the same because you're using the numeric addition operator
(+) instead of the string concatenation operator (.), which is
probably what you want.

For example, for the string "7e56", you're calculating the digest of:
  "7e56" + "somestring" + microtime() + rand(1,1000)

7e56 is "7 time ten to the 56th power", a large floating point number
"somestring" when used in a numeric context is zero
microtime() will be something like "0.52681700 1462500201", which when
used in a numeric context, will evaluate to some floating point number
between zero and one.
Since the precision of floating point numbers in PHP is only about 15
digits, this vanishes and rounds to zero.
Similarly with rand(1,1000), no matter what the number is, it's too
small to appear in such a larger number as 7E+56.

Bottom line, that whole numeric addition comes to naught, and you end
up taking the hash of precisely 7e56 every time, so of course the
digest is the same every time.

TL;DR - Use dot for concatenation, not +
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 19:00:01 2025 UTC