1.2.1636. mcrypt_create_iv() With Default Values¶
Avoid using mcrypt_create_iv() default values.
mcrypt_create_iv() used to have MCRYPT_DEV_RANDOM as default values, and in PHP 5.6, it now uses MCRYPT_DEV_URANDOM.
If the code doesn’t have a second argument, it relies on the default value. It is recommended to set explicitly the value, so has to avoid problems while migrating.
<?php
$size = mcrypt_get_iv_size(MCRYPT_CAST_256, MCRYPT_MODE_CFB);
// mcrypt_create_iv is missing the second argument
$iv = mcrypt_create_iv($size);
// Identical to the line below
// $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
?>
See also mcrypt_create_iv().
1.2.1636.1. Suggestions¶
Avoid using mcrypt_create_iv() default values.
1.2.1636.2. Specs¶
Short name |
Structures/McryptcreateivWithoutOption |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
With PHP 5.6 and older |
Severity |
Minor |
Time To Fix |
Instant (5 mins) |
Precision |
High |
Features |
mcrypt |
Available in |