Edit report at https://bugs.php.net/bug.php?id=64211&edit=1
ID: 64211 User updated by: pwormer at science dot ru dot nl Reported by: pwormer at science dot ru dot nl Summary: sha256 hashes "#", "&", and "+" incorrectly. Status: Not a bug Type: Bug Package: hash related Operating System: windows/linux PHP Version: 5.4.11 Block user comment: N Private report: N New Comment: I call PHP from JS through XMLHttp.open("GET", "SHA256.php?pswd="+pswd). Maybe the problem lies in XMLHttp? Previous Comments: ------------------------------------------------------------------------ [2013-02-15 10:29:20] pwormer at science dot ru dot nl Two more examples: 1. Password "a b" (no quotes, pswd contains three characters, middle one ASCII 32): JS-hashed password : c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65 PHP-hashed password: c8687a08aa5d6ed2044328fa6a697ab8e96dc34291e8c2034ae8c38e6fcc6d65 2. Password "a#b" (no quotes, pswd contains three characters, middle one ASCII 35): JS-hashed password : 8187fc8f7f007036dffc199544b33167632c7739733785bbdec0fbb9a2c43ca1 PHP-hashed password: ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb My problem is the difference in hash between JavaScript and PHP that occurs if and only if the pswd contains anywhere #, & or +. By looking at PHP alone this problem cannot be solved. ------------------------------------------------------------------------ [2013-02-14 21:38:29] s...@php.net s/expecting/getting ------------------------------------------------------------------------ [2013-02-14 21:37:50] s...@php.net Can't reproduce on 32 or 64 bit Linux: $ php53 -r 'echo hash("sha256", "#") . "\n";' 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b $ php54 -r 'echo hash("sha256", "#") . "\n";' 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b Is it coincidence that "" (an empty string) gives the hash you are expecting for "#". $ php53 -r 'echo hash("sha256", "") . "\n";' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 $ php54 -r 'echo hash("sha256", "") . "\n";' e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ------------------------------------------------------------------------ [2013-02-14 11:05:56] pwormer at science dot ru dot nl Description: ------------ The JavaScript functions at: http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha256.js and http://www.movable-type.co.uk/scripts/sha256.html give the same hash for any password of any length consisting of ASCII 32 through 128. Almost always the hash is the same as obtained from PHP: hash("sha256", $pswd). Exceptions (bugs?) are passwords containing one or more of the three characters: "#" (number sign), "&" (ampersand), or "+" (plus sign). Tested with XAMPP (PHP 5.4.7), FireFox and Chrome and Linux server. Test script: --------------- See http://www.theochem.ru.nl/~pwormer/sha256bug.php This URL calls SHA256.php which contains the following four lines <?php $pswd = $_GET["pswd"]; echo hash("sha256", $pswd); ?> Expected result: ---------------- I expect JavaScript and PHP to give same Sha-256 hashes Actual result: -------------- Hash of # (single character): JS: 334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b PHP: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64211&edit=1