Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113022 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 41000 invoked from network); 29 Jan 2021 15:10:36 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 29 Jan 2021 15:10:36 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 84FD31804AA for ; Fri, 29 Jan 2021 06:52:51 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-il1-f177.google.com (mail-il1-f177.google.com [209.85.166.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 29 Jan 2021 06:52:50 -0800 (PST) Received: by mail-il1-f177.google.com with SMTP id m20so1215088ilj.13 for ; Fri, 29 Jan 2021 06:52:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Be85GIaxELVqz8+8mgwQ06Zu6JIYHzel/IXYGkqf4yk=; b=qygdIkILNqenXEFFDivL8n+l9BFw9kdXXqzJZU/nYAFMCdyzhbDebGzTknnvpfGbX1 IHbJ7ZXhd1LWU3FYIt6uvR3o9enxcGL7F1b958y88hhAMB9VIaDj+5cl/gb+mQ63vaBQ cTvZVF4MelmZDlYWKZITEmw2PFlYqUNPwjsn0icwXLpFfj6QHp4OK9UDPobx/2COWPZI PbNLZKuyp0j84mJgknjbaFJdpEKF+1PkQGOMkGU/uSCRtxJYgzhcPomPEwn3uwjG12RR ye0+5brcxJz7VlZGXLrvbXSpWFcCAJsy+OLXDlOidSTNAZ1+MGCLjaRH/odZdmDFoyIu Wb0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Be85GIaxELVqz8+8mgwQ06Zu6JIYHzel/IXYGkqf4yk=; b=Z+acaJ5nS+FFzzrnJ2cEo4kBIO4ssMQ7LRekQZatH2WyunXv8PBmaS0OP+QT0AH6Y2 cU7eccUKLZA8ScNOtb1WdRIa4dr6NUTiwTLvdAO1IlB+W6Ia/qv5wHJc1VFFGBx196sM FwA8ZpsSyox/jzytNNOTCFQRMO8PVSqhm+R53HN+c5kfZKwmseZp/lyjJvkIgsTcMtpE ovJvwgC8kQwAX5JvEEFDO4OF8rQPnxx+Pg/aUigTDvvXKF7OoWFruCn7plyovxFUFVH+ klfaHzA+h7Jt3ZwalW0kQi19Z5zoBbbxOiIt/HawlFVN4qpeOThmmSbHo8AEFRly3Tj2 EsRg== X-Gm-Message-State: AOAM530QJldKbmHtOdJ/1CMMjLKgTwrPrVdPHLW4LMYduFkta9adnkrc YP6viLRHY6naW3+0DtRCn8GDR83jbvjcpvIFaYRuxRPe5YC4Q1yj X-Google-Smtp-Source: ABdhPJx0InrVN+iUIkccClj1sgydg3L5cTsgaOVWpdY4ah6xaV5JfYK7hmMXbjY/Zjynx9vpvjfDIjqMDuTIvmykECA= X-Received: by 2002:a92:d082:: with SMTP id h2mr3302753ilh.292.1611931968682; Fri, 29 Jan 2021 06:52:48 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Fri, 29 Jan 2021 15:52:36 +0100 Message-ID: To: Jesse Rushlow Cc: PHP Internals List Content-Type: multipart/alternative; boundary="00000000000065411d05ba0b287c" Subject: Re: [PHP-DEV] password_verify() and unknown algos From: ocramius@gmail.com (Marco Pivetta) --00000000000065411d05ba0b287c Content-Type: text/plain; charset="UTF-8" On Fri, Jan 29, 2021 at 3:45 PM Jesse Rushlow wrote: > However having a third param to password_verify(), that is false by > default, that would allow for > an exception to be thrown in the event of an unknown algo / bad hash might > be a better path forward and would be totally beneficial in my opinion. > Gonna be the usual person saying: let's not clutter functions with more behavior than what's needed :-) If you need to validate a hash for being "well formed" rather than "matching", then write a separate function dedicated to that, rather than increasing the complexity of a pre-existing symbol. Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --00000000000065411d05ba0b287c--