On 07/02/2012 01:55 PM, Anthony Ferrara wrote:
Chris,
Can you update the RFC (aka future documentation) and make this obvious
to an end user?
I just made an update (in the behavior sections). Let me know if
additional clarification is needed.
To be honest, a note next to PASSWORD_DEFAULT would be good too.
The API of password_make_salt() seems restrictive. What if other
options are needed in future?
Can you give any examples of what options would be needed in the
future, or how you would like to see the API?
I only have brainstorm thoughts on this, since I don't have a crystal
ball. What if characters other than a-zA-Z0-9./ should/can be used
for some PASSWORD_xxx algorithms? What if some seed is needed? What
if the salt creation algorithm should be swappable due to resource
usage reasons, etc?
Also, do you really need a php.ini parameter? It's yet another
potential way to attack a system.
Chris
--
christopher.jo...@oracle.com
http://twitter.com/#!/ghrd
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
