Edit report at https://bugs.php.net/bug.php?id=55036&edit=1
ID: 55036
Updated by: yohg...@php.net
Reported by: ss23 at ss23 dot geek dot nz
Summary: Have crypt() throw E_WARNING when salt parameter
missing
-Status: Open
+Status: Assigned
Type: Feature/Change Request
Package: *Encryption and hash functions
PHP Version: Irrelevant
-Assigned To:
+Assigned To: yohgaki
Block user comment: N
Private report: N
New Comment:
Users' PHP 5.5 or later should use password_hash()
http://php.net/manual/en/ref.password.php
It would be good idea raise E_WARNING, since crypt() w/o algo/hash produces
very
weak hash.
Previous Comments:
------------------------------------------------------------------------
[2011-06-11 23:55:59] ss23 at ss23 dot geek dot nz
Another possible way to "fix" the security risk here would be to choose a sane
hash as a default. Now that they're built in, it shouldn't be a problem to do
this.
------------------------------------------------------------------------
[2011-06-11 21:00:55] ss23 at ss23 dot geek dot nz
Description:
------------
Currently, you can call crypt('foo') without any problems, however, given how
useless that is for anything, it's a security risk if someone was actually to
do
this.
Test script:
---------------
<?php
crypt('foo');
Expected result:
----------------
Warning: crypt() expects at least 2 parameters, 1 given
Actual result:
--------------
Works fine
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55036&edit=1
