Edit report at https://bugs.php.net/bug.php?id=65093&edit=1
ID: 65093
Updated by: ircmax...@php.net
Reported by: michael at squiloople dot com
Summary: password_hash ignores salts with spaces
-Status: Assigned
+Status: Not a bug
Type: Bug
Package: hash related
Operating System: Windows Vista SP2
PHP Version: 5.5.0
Assigned To: ircmaxell
Block user comment: N
Private report: N
New Comment:
This is not a bug. This is as designed.
The reason is that crypt requires a salt that's base64 encoded. A space
character is not a valid character in the salt. Therefore, password_hash will
attempt to use the salt directly (if it's valid in the base64 character set).
But any character outside a-zA-Z0-9./ and it'll base64 encode the salt first.
You can test this yourself:
echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' =>
'thisisatestthisis test'));
echo "\n";
echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' =>
'thisisatestthisis test'));
Produces the same result twice in a row:
$2y$10$dGhpc2lzYXRlc3R0aGlzaOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO
$2y$10$dGhpc2lzYXRlc3R0aGlzaOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO
Which indicates that it's actually encoding the salt you pass in, rather than
generating a random one.
So it's still using your salt, and it's most definitely not failing.
Closing as Not A Bug. Thanks for the report!
Previous Comments:
------------------------------------------------------------------------
[2013-06-22 12:36:11] michael at squiloople dot com
Would it be worth then having an error or a boolean/null return value rather
than
have it "fail" silently? If at any point the allowed characters for the salt
were
to extend then past hashes (where a salt was generated by the developer with
previously invalid characters) would be broken.
If you give the developer the option to provide a value then surely it should
be
either accepted or denied rather than just ignored.
------------------------------------------------------------------------
[2013-06-22 05:48:33] r...@php.net
I think it's only a documentation problem which should explains which are the
allowed characters in the salt (from code: a-z A-Z 0-9 . /)
(notice: It is strongly recommended that you do not generate your own salt for
this function)
------------------------------------------------------------------------
[2013-06-21 22:37:03] michael at squiloople dot com
Description:
------------
When manually setting a salt which contains spaces the function ignores it and
automatically generates its own.
Test script:
---------------
echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' =>
'thisisatestthisisatest'));
echo '<br>';
echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' =>
'thisisatestthisis test'));
Expected result:
----------------
$2y$10$thisisatestthisisateseLNFJ7M2ONUSijVBKli7sVFN6rQm7o36
$2y$10$thisisatestthisis tesOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO
(with the part after the salt being whatever it would be)
Actual result:
--------------
$2y$10$thisisatestthisisateseLNFJ7M2ONUSijVBKli7sVFN6rQm7o36
$2y$10$dGhpc2lzYXRlc3R0aGlzaOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65093&edit=1
