On 18 Mar, 2012, at 2:32 PM, Xinchen Hui <larue...@gmail.com> wrote: >> What if php uses salts for specific hashes only, such as GPC (or all >> hashes whose lifetime is limited to the current reuqest), and use a >> zero-value salt for all others? > definitely no,thinking of pre-calculated hash.
Pre-calculated hash of what? You mean binary serialisation? > Or Ajax which use > json_decode parse input json. That would be considered a request lifetime hash and therefore could be salted. > > IMO, this Make no sense but mess things up. We all have opinions. If a clear distinction between vulnerable and non vulnerable data can be reliably made, in my limited knowledge of the whole ecosystem I genuinely think this has a shot :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php