Function crypt() doesn't return the hash value in PHP 7.0

Question

I had something like this (copied from http://www.gregboggs.com/php-blowfish-random-salted-passwords/ )

        $Blowfish_Pre = '$2a$05$';
        $Blowfish_End = '$';
        $bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
        $hashed_password = crypt($password, $bcrypt_salt);

        echo $salt . '<br>';
        echo $password . '<br>';
        echo $bcrypt_salt . '<br>';
        echo $hashed_password . '<br>';
        echo "end";

When I test run it, it turns out that the value of $hashed_password is exactly the same as $bcrypt_salt , while $salt , $password , and $bcrypt_salt all return values as expected. How do I fix this?

Answer 1

Sorry, that was wrong: The "05$" in "pre" is too much. Try without.

The manual ( http://php.net/manual/en/function.crypt.php ) says:

CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".

Using such a 22-char long salt works:

echo crypt('secret', '$2a$05$1234567890123456789012$');
$2a$05$123456789012345678901u.97m5mwuxOR3RvRKYm9sasohx5Mnzwq

Always use a random hash, the above was just an example!

If you don't need the "2a" version of blowfish, I'd recommend to use the following as it is compatible to crypt() and generates a random salt:

echo password_hash("secret", PASSWORD_BCRYPT);

PS: When reading things like this in the manual I'd tend to recommend not using PHP for anything at all anymore. Can't they just throw an Exception like any other sane API?

Using characters outside of this range in the salt will cause crypt() to return a zero-length string.