Edit report at https://bugs.php.net/bug.php?id=64211&edit=1
ID: 64211
Updated by: johan...@php.net
Reported by: pwormer at science dot ru dot nl
Summary: sha256 hashes "#", "&", and "+" incorrectly.
Status: Not a bug
Type: Bug
Package: hash related
Operating System: windows/linux
PHP Version: 5.4.11
Block user comment: N
Private report: N
New Comment:
That'S your problem. You have to escape the URL parameters.
pswd = "a#b";
url = "SHA256.php?pswd="+pswd
will create the URL "SHA256.php?pswd=a#b" the browser will then cut of the "#b"
from the URL before sending it to the server.
$ php -r 'echo hash("sha256", "a");'
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
Which is what you get. You should escape the data ...
Additional comment: Don't transfer the password as part of the URL. URLs are
stored in browser history etc. and might leak therefore. Always use POST data
for that. (but still mind proper escaping)
Previous Comments:
------------------------------------------------------------------------
[2013-02-15 10:40:47] pwormer at science dot ru dot nl
I call PHP from JS through XMLHttp.open("GET", "SHA256.php?pswd="+pswd). Maybe
the problem lies in XMLHttp?
------------------------------------------------------------------------
[2013-02-15 10:29:20] pwormer at science dot ru dot nl
Two more examples:
1. Password "a b" (no quotes, pswd contains three characters, middle one ASCII
32):
JS-hashed password :
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65
PHP-hashed password:
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65
2. Password "a#b" (no quotes, pswd contains three characters, middle one ASCII
35):
JS-hashed password :
8187fc8f7f007036dffc199544b33167632c7739733785bbdec0fbb9a2c43ca1
PHP-hashed password:
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
My problem is the difference in hash between JavaScript and PHP that occurs if
and only if the pswd contains anywhere #, & or +. By looking at PHP alone this
problem cannot be solved.
------------------------------------------------------------------------
[2013-02-14 21:38:29] s...@php.net
s/expecting/getting
------------------------------------------------------------------------
[2013-02-14 21:37:50] s...@php.net
Can't reproduce on 32 or 64 bit Linux:
$ php53 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
$ php54 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
Is it coincidence that "" (an empty string) gives the hash you are expecting
for
"#".
$ php53 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
$ php54 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
------------------------------------------------------------------------
[2013-02-14 11:05:56] pwormer at science dot ru dot nl
Description:
------------
The JavaScript functions at:
http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha256.js
and
http://www.movable-type.co.uk/scripts/sha256.html
give the same hash for any password of any length consisting of ASCII 32
through 128. Almost always the hash is the same as obtained from PHP:
hash("sha256", $pswd).
Exceptions (bugs?) are passwords containing one or more of the three characters:
"#" (number sign), "&" (ampersand), or "+" (plus sign).
Tested with XAMPP (PHP 5.4.7), FireFox and Chrome and Linux server.
Test script:
---------------
See http://www.theochem.ru.nl/~pwormer/sha256bug.php
This URL calls SHA256.php which contains the following four lines
<?php
$pswd = $_GET["pswd"];
echo hash("sha256", $pswd);
?>
Expected result:
----------------
I expect JavaScript and PHP to give same Sha-256 hashes
Actual result:
--------------
Hash of # (single character):
JS: 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
PHP: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=64211&edit=1
