ID: 30316 Updated by: [EMAIL PROTECTED] Reported By: drachma60 at ml1 dot net -Status: Open +Status: Closed Bug Type: Documentation problem Operating System: FreeBSD PHP Version: 4.3.8 New Comment:
This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. "If the salt argument is not provided, one will be randomly generated by PHP each time you call this function." Previous Comments: ------------------------------------------------------------------------ [2004-10-11 04:19:38] drachma60 at ml1 dot net Hi vrana, Yes, I agree, there is an "If you are using the supplied salt" section in the manual. However, I stand by my claim that the documentation does not correctly describe the current behavior of the crypt function. In my sample code, I am not providing a salt. Therefore, according to the documentation: "If the salt argument is not provided, one will be randomly generated by PHP...." "If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security." The "supplied salt" is the "randomly generated salt". If the supplied salt were only generated once per PHP invocation, then all the lines of the result would be the same. However, it is obvious that the generated crypt lines are not identincal. They are different. Therefore, even though I am NOT supplying a salt to crypt, crypt is regenerating a new (and different) random salt each time I call it. This is not what the documentation describes. This regenerting behavior is the preferred behavior in that it is more secure. Moreover, this is the behavior specifically requested by bug 8080. However, the documentation describes the pre bug 8080 behavior. The documentation is incorrect. Thanks again! ------------------------------------------------------------------------ [2004-10-04 12:07:39] [EMAIL PROTECTED] There is "If you are using the supplied salt" in the manual. In your example, you are not supplying the salt but using the default one. I changed only recursively to repeatedly. ------------------------------------------------------------------------ [2004-10-04 07:45:58] drachma60 at ml1 dot net Description: ------------ http://us2.php.net/manual/en/function.crypt.php says: "If you are using the supplied salt, you should be aware that the salt is generated once. If you are calling this function recursively, this may impact both appearance and security." However, this does NOT seem to be the case, at least NOT on FreeBSD where crypt uses md5 by default. (Aside: Also, how would I call crypt "recursively"? "repeatedly" I can understand. But not "recursively", as crypt is not calling itself, nor can I (via PHP code) rewrite crypt to call itself.) Thanks! P.S. It looks like the documentation may have been correct before "bug" 8080 was fixed in December of 2000. Reproduce code: --------------- <?php for ($i = 0; $i < 10; $i++) { print crypt ("password"). "\n"; } ?> Expected result: ---------------- $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 $1$salt$qJH7.N4xYta3aEG/dfqo/0 (Summary: I would expect all the salts to be the same, as per the documentation.) Actual result: -------------- $1$49EUp1Z7$o9UbbesjLIgng.AMtBhuC0 $1$ppH4o1pX$LWrm5Lk6RIxVdNnR2ow741 $1$PEKufg9F$.qqFw6E2IlueP08IV2MQa0 $1$9agtuCbw$DuMMRD7ybYuB5OBmlw87E/ $1$uzXF0rxF$3V8.0dzVaxVSEh6OgoFtF0 $1$MGg.lgdp$QGmQ68mkdiDDnIDRoAPa20 $1$ZDIvcKNU$1tpYj4x63Py6NKQlvWCD21 $1$rGzlQCSP$M8mRQH4VlNU2cDfb8Y6ru. $1$dKYZm7GZ$fQB58ZSFxm60e7Vovtma/. $1$tyR3/3kx$uw14iqFovhETlgWfdicro0 (Summary: As you can see, the salts are different.) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30316&edit=1
