Edit report at https://bugs.php.net/bug.php?id=64211&edit=1
ID: 64211 Updated by: johan...@php.net Reported by: pwormer at science dot ru dot nl Summary: sha256 hashes "#", "&", and "+" incorrectly. Status: Not a bug Type: Bug Package: hash related Operating System: windows/linux PHP Version: 5.4.11 Block user comment: N Private report: N New Comment: That'S your problem. You have to escape the URL parameters. pswd = "a#b"; url = "SHA256.php?pswd="+pswd will create the URL "SHA256.php?pswd=a#b" the browser will then cut of the "#b" from the URL before sending it to the server. $ php -r 'echo hash("sha256", "a");' ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb Which is what you get. You should escape the data ... Additional comment: Don't transfer the password as part of the URL. URLs are stored in browser history etc. and might leak therefore. Always use POST data for that. (but still mind proper escaping) Previous Comments: ------------------------------------------------------------------------ [2013-02-15 10:40:47] pwormer at science dot ru dot nl I call PHP from JS through XMLHttp.open("GET", "SHA256.php?pswd="+pswd). Maybe the problem lies in XMLHttp? ------------------------------------------------------------------------ [2013-02-15 10:29:20] pwormer at science dot ru dot nl Two more examples: 1. Password "a b" (no quotes, pswd contains three characters, middle one ASCII 32): JS-hashed password : c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65 PHP-hashed password: c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65 2. Password "a#b" (no quotes, pswd contains three characters, middle one ASCII 35): JS-hashed password : 8187fc8f7f007036dffc199544b33167632c7739733785bbdec0fbb9a2c43ca1 PHP-hashed password: ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb My problem is the difference in hash between JavaScript and PHP that occurs if and only if the pswd contains anywhere #, & or +. By looking at PHP alone this problem cannot be solved. ------------------------------------------------------------------------ [2013-02-14 21:38:29] s...@php.net s/expecting/getting ------------------------------------------------------------------------ [2013-02-14 21:37:50] s...@php.net Can't reproduce on 32 or 64 bit Linux: $ php53 -r 'echo hash("sha256", "#") . "\n";' 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b $ php54 -r 'echo hash("sha256", "#") . "\n";' 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b Is it coincidence that "" (an empty string) gives the hash you are expecting for "#". $ php53 -r 'echo hash("sha256", "") . "\n";' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 $ php54 -r 'echo hash("sha256", "") . "\n";' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ------------------------------------------------------------------------ [2013-02-14 11:05:56] pwormer at science dot ru dot nl Description: ------------ The JavaScript functions at: http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha256.js and http://www.movable-type.co.uk/scripts/sha256.html give the same hash for any password of any length consisting of ASCII 32 through 128. Almost always the hash is the same as obtained from PHP: hash("sha256", $pswd). Exceptions (bugs?) are passwords containing one or more of the three characters: "#" (number sign), "&" (ampersand), or "+" (plus sign). Tested with XAMPP (PHP 5.4.7), FireFox and Chrome and Linux server. Test script: --------------- See http://www.theochem.ru.nl/~pwormer/sha256bug.php This URL calls SHA256.php which contains the following four lines <?php $pswd = $_GET["pswd"]; echo hash("sha256", $pswd); ?> Expected result: ---------------- I expect JavaScript and PHP to give same Sha-256 hashes Actual result: -------------- Hash of # (single character): JS: 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b PHP: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64211&edit=1