Edit report at https://bugs.php.net/bug.php?id=64211&edit=1
ID: 64211
User updated by: pwormer at science dot ru dot nl
Reported by: pwormer at science dot ru dot nl
Summary: sha256 hashes "#", "&", and "+" incorrectly.
Status: Not a bug
Type: Bug
Package: hash related
Operating System: windows/linux
PHP Version: 5.4.11
Block user comment: N
Private report: N
New Comment:
Thank you, forgetting to encode was indeed my problem. What threw me off was
that almost all special characters (slash, period, at-sign, angular brackets,
etc) worked OK without encoding.
Your point about GET versus POST is well taken. I used GET so far because I'm
in an exploration phase. In my definite code I will either use POST or don't
hash on the client, I have to think more about it.
Previous Comments:
------------------------------------------------------------------------
[2013-02-15 11:00:56] johan...@php.net
That'S your problem. You have to escape the URL parameters.
pswd = "a#b";
url = "SHA256.php?pswd="+pswd
will create the URL "SHA256.php?pswd=a#b" the browser will then cut of the "#b"
from the URL before sending it to the server.
$ php -r 'echo hash("sha256", "a");'
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
Which is what you get. You should escape the data ...
Additional comment: Don't transfer the password as part of the URL. URLs are
stored in browser history etc. and might leak therefore. Always use POST data
for that. (but still mind proper escaping)
------------------------------------------------------------------------
[2013-02-15 10:40:47] pwormer at science dot ru dot nl
I call PHP from JS through XMLHttp.open("GET", "SHA256.php?pswd="+pswd). Maybe
the problem lies in XMLHttp?
------------------------------------------------------------------------
[2013-02-15 10:29:20] pwormer at science dot ru dot nl
Two more examples:
1. Password "a b" (no quotes, pswd contains three characters, middle one ASCII
32):
JS-hashed password :
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65
PHP-hashed password:
c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65
2. Password "a#b" (no quotes, pswd contains three characters, middle one ASCII
35):
JS-hashed password :
8187fc8f7f007036dffc199544b33167632c7739733785bbdec0fbb9a2c43ca1
PHP-hashed password:
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
My problem is the difference in hash between JavaScript and PHP that occurs if
and only if the pswd contains anywhere #, & or +. By looking at PHP alone this
problem cannot be solved.
------------------------------------------------------------------------
[2013-02-14 21:38:29] s...@php.net
s/expecting/getting
------------------------------------------------------------------------
[2013-02-14 21:37:50] s...@php.net
Can't reproduce on 32 or 64 bit Linux:
$ php53 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
$ php54 -r 'echo hash("sha256", "#") . "\n";'
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b
Is it coincidence that "" (an empty string) gives the hash you are expecting
for
"#".
$ php53 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
$ php54 -r 'echo hash("sha256", "") . "\n";'
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64211
--
Edit this bug report at https://bugs.php.net/bug.php?id=64211&edit=1
