On 27/01/2021 16:26, Benjamin Morel wrote:
Shouldn't it throw an exception, or a least trigger a warning, when the algorithm is unknown, or the hash is malformed? Returning false IMO, should mean "I recognize this hash, but it doesn't match your password". "I don't recognize this hash" is an application issue and should be reported.
Relevantly, password_hash() throws a ValueError for an unknown $algo parameter as of 8.0: https://heap.space/xref/php-src/ext/standard/password.c?r=3e01f5af#663
It would probably make sense to throw the same error if php_password_algo_identify doesn't recognise the ident in the hash.
Regards, -- Rowan Tommins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
