1.2.1475. crypt() Without Salt

PHP requires a salt when calling crypt(). 5.5 and previous versions didn’t require it. Salt is a simple string, that is usually only known by the application.

According to the manual : The salt parameter is optional. However, crypt() creates a weak hash without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.

<?php
// Set the password
$password = 'mypassword';

// salted crypt usage (always valid)
$hash = crypt($password, '123salt');

// Get the hash, letting the salt be automatically generated
// This generates a notice after PHP 5.6
$hash = crypt($password);

?>

See also crypt.

1.2.1475.1. Suggestions

  • Always provide the second argument

1.2.1475.2. Specs

Short name

Structures/CryptWithoutSalt

Rulesets

All, Changed Behavior, CompatibilityPHP54

Exakat since

0.8.4

PHP Version

With PHP 5.6 and older

Severity

Minor

Time To Fix

Instant (5 mins)

Changed Behavior

PHP 5.6

Precision

Very high

Available in

Entreprise Edition, Exakat Cloud