On 07/08/13 13:00, Leigh wrote:
On 7 August 2013 11:18, Yasuo Ohgaki<yohg...@ohgaki.net> wrote:
A user requested that crypt() should raise error without 2nd(slat)
parameter.
https://bugs.php.net/bug.php?id=55036
crypt() without salt generates extremely weak password hash.
The docs seem to indicate that some implementations generate their own
random salt if one is not supplied? It doesn't seem right to raise a
warning if it doesn't apply to _all_ cases.
I do get a md5 with a salt when calling crypt, and looking at php that
seems
to be the intended behavior, not something system dependant (that's done
since 5.3, according to the docs).
I see a problem in that it uses php_rand() to generate the salt, but the
solution
should be to use php_password_make_salt for creating the salt, not the
warning.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php