Chris, > To be honest, a note next to PASSWORD_DEFAULT would be good too.
Ok, I'll add that in shortly. >>> The API of password_make_salt() seems restrictive. What if other >>> options are needed in future? >> >> >> Can you give any examples of what options would be needed in the >> future, or how you would like to see the API? > > > I only have brainstorm thoughts on this, since I don't have a crystal > ball. What if characters other than a-zA-Z0-9./ should/can be used > for some PASSWORD_xxx algorithms? What if some seed is needed? What > if the salt creation algorithm should be swappable due to resource > usage reasons, etc? Actually... What about making the `raw_output` parameter a bitmask. Then provide: PASSWORD_SALT_CRYPT = 1 PASSWORD_SALT_RAW = 2 Then, in the future you could add a bunch of others PASSWORD_SALT_SOMETHINGELSE. And you could combine some: PASSWORD_SALT_DEV_RANDOM, PASSWORD_SALT_WAHTEVER... > Also, do you really need a php.ini parameter? It's yet another > potential way to attack a system. Well, if not for an ini parameter, what way would you suggest to alter the default bcrypt cost? (seriously, I'm open to suggestions)... Thanks, Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
