php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77218 password_hash returns null
Submitted: 2018-11-29 08:26 UTC Modified: 2018-12-08 06:47 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: magnar at myrtveit dot com Assigned:
Status: Open Package: *Encryption and hash functions
PHP Version: 7.3.0RC6 OS: Any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-11-29 08:26 UTC] magnar at myrtveit dot com
Description:
------------
From manual page: http://php.net/manual/en/function.password-hash.php

The return value is documented as "Returns the hashed password, or FALSE on failure." However, password_hash returns null on failure, as is evident from this test: https://3v4l.org/siaNi I am not sure whether password_hash returns false on other failures.

I don't know whether the issue is with the documentation or with the function.

Test script:
---------------
var_dump(password_hash('foo', -1));

Expected result:
----------------
false (based on the documentation)

Actual result:
--------------
null

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-29 08:33 UTC] magnar at myrtveit dot com
It seems that password_hash returns null on all failures. Here is my test: https://3v4l.org/DMv87
 [2018-12-01 13:15 UTC] petk@php.net
Hello, I'm just confirming this issue for now. Yes, the documentation should be probably fixed from false to null in case of failure such as non existing algorithm. Returning string or null is more logical in these more recently added functions. Returning mixed value of boolean is much less logical to expect and understand in such case I think.
 [2018-12-08 06:47 UTC] yohgaki@php.net
-Type: Documentation Problem +Type: Bug
 [2018-12-08 06:47 UTC] yohgaki@php.net
Briefly checked how RETURN_NULL() is used.
Most of them, but password_hash(), return NULL when "empty" result is appropriate, not for errors.

RETURN_NULL() for invalid algo seems actually a bug.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Dec 10 03:01:25 2018 UTC