Fixing this is a simple matter, but I wanted to bounce approaches for BC (or
lack thereof) off everyone else since this version of openssl_encrypt() is
already "in the wild".
I think it's worth a BC break. Comments?
To break BC is a no go, even if your arguments are appealing (even in
a major version).
I disagree about it's no-go-ness, given the fact that these functions
aren't particularly usable as-is, but it's also not worth a fight.
Given the comments made on list my intentions are as follows:
1) Add $iv as a fifth, optional parameter to openssl_(en|de)crypt()
2) Throw a warning if openssl_encrypt() is used without an IV
3) Add openssl_cipher_get_iv_length($cipher)
I intend to make these changes on both trunk and PHP_5_3 because, IMO,
this is a bug, not merely a missing feature.
The only BC break is the warning raised when using openssl_encrypt()
without an IV. Given the extremely bad practice using a NULL IV
represents, I think this is a reasonable course of action.
-Sara
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
