1.2.1465. crypt() Without Salt¶
PHP requires a salt when calling crypt(). 5.5 and previous versions didn’t require it. Salt is a simple string, that is usually only known by the application.
According to the manual : The salt parameter is optional. However, crypt() creates a weak hash without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.
<?php
// Set the password
$password = 'mypassword';
// salted crypt usage (always valid)
$hash = crypt($password, '123salt');
// Get the hash, letting the salt be automatically generated
// This generates a notice after PHP 5.6
$hash = crypt($password);
?>
See also crypt.
1.2.1465.1. Suggestions¶
Always provide the second argument
1.2.1465.2. Specs¶
Short name |
Structures/CryptWithoutSalt |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 5.6 and older |
Severity |
Minor |
Time To Fix |
Instant (5 mins) |
Changed Behavior |
PHP 5.6 - More |
Precision |
Very high |
Available in |