php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79555 crypt function gives same output with different inputs that are similar
Submitted: 2020-05-02 01:48 UTC Modified: 2020-05-02 01:53 UTC
From: subless at yahoo dot com Assigned:
Status: Not a bug Package: hash related
PHP Version: 7.3.17 OS: macOS Sierra
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
26 - 19 = ?
Subscribe to this entry?

 
 [2020-05-02 01:48 UTC] subless at yahoo dot com 
Description:
------------
https://ideone.com/srWv2p

The link above is some example code where the string input is slightly different and they all have the same salt, but the output is the exact same each time. Some input-character modifications will change the output which is intended but it's broken so far.

Test script:
---------------
<?php
echo crypt("passwordpasswoRd", "SALT");
echo "\n";
echo crypt("passwordpassWorD", "SALT");
echo "\n";
echo crypt("passwordPassworD", "SALT");
echo "\n";
echo crypt("passwordpaSSworD", "SALT");
echo "\n";
echo crypt("passwordpassworD", "SALT");
?>

Expected result:
----------------
Since the input string is slightly different, I expect to see different output results not identical.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-02 01:53 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2020-05-02 01:53 UTC] requinix@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

> The standard DES-based crypt() returns the salt as the first two characters of
> the output. It also only uses the first eight characters of str, so longer
> strings that start with the same eight characters will generate the same result
> (when the same salt is used).

If you're trying to hash passwords, use PHP's password hashing functions.
https://www.php.net/manual/en/ref.password.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 17:01:30 2024 UTC