ID: 30316 User updated by: drachma60 at ml1 dot net Reported By: drachma60 at ml1 dot net -Status: Bogus +Status: Open Bug Type: Documentation problem Operating System: FreeBSD PHP Version: 4.3.8 New Comment:
Hi vrana, Yes, I agree, there is an "If you are using the supplied salt" section in the manual. However, I stand by my claim that the documentation does not correctly describe the current behavior of the crypt function. In my sample code, I am not providing a salt. Therefore, according to the documentation: "If the salt argument is not provided, one will be randomly generated by PHP...." "If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security." The "supplied salt" is the "randomly generated salt". If the supplied salt were only generated once per PHP invocation, then all the lines of the result would be the same. However, it is obvious that the generated crypt lines are not identincal. They are different. Therefore, even though I am NOT supplying a salt to crypt, crypt is regenerating a new (and different) random salt each time I call it. This is not what the documentation describes. This regenerting behavior is the preferred behavior in that it is more secure. Moreover, this is the behavior specifically requested by bug 8080. However, the documentation describes the pre bug 8080 behavior. The documentation is incorrect. Thanks again! Previous Comments: ------------------------------------------------------------------------ [2004-10-04 12:07:39] [EMAIL PROTECTED] There is "If you are using the supplied salt" in the manual. In your example, you are not supplying the salt but using the default one. I changed only recursively to repeatedly. ------------------------------------------------------------------------ [2004-10-04 07:45:58] drachma60 at ml1 dot net Description: ------------ http://us2.php.net/manual/en/function.crypt.php says: "If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security." However, this does NOT seem to be the case, at least NOT on FreeBSD where crypt uses md5 by default. (Aside: Also, how would I call crypt "recursively"? "repeatedly" I can understand. But not "recursively", as crypt is not calling itself, nor can I (via PHP code) rewrite crypt to call itself.) Thanks! P.S. It looks like the documentation may have been correct before "bug" 8080 was fixed in December of 2000. Reproduce code: --------------- <?php for ($i = 0; $i < 10; $i++) { print crypt ("password"). "\n"; } ?> Expected result: ---------------- $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 (Summary: I would expect all the salts to be the same, as per the documentation.) Actual result: -------------- $1$49EUp1Z7$o9UbbesjLIgng.AMtBhuC0 $1$ppH4o1pX$LWrm5Lk6RIxVdNnR2ow741 $1$PEKufg9F$.qqFw6E2IlueP08IV2MQa0 $1$9agtuCbw$DuMMRD7ybYuB5OBmlw87E/ $1$uzXF0rxF$3V8.0dzVaxVSEh6OgoFtF0 $1$MGg.lgdp$QGmQ68mkdiDDnIDRoAPa20 $1$ZDIvcKNU$1tpYj4x63Py6NKQlvWCD21 $1$rGzlQCSP$M8mRQH4VlNU2cDfb8Y6ru. $1$dKYZm7GZ$fQB58ZSFxm60e7Vovtma/. $1$tyR3/3kx$uw14iqFovhETlgWfdicro0 (Summary: As you can see, the salts are different.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30316&edit=1
