ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2053/php/rule.adoc

38 lines
1.1 KiB
Plaintext
Raw Normal View History

Add rules 2000-2999
2020-06-30 12:48:07 +02:00
include::../description.adoc[]
include::../recommended.adoc[]
== Noncompliant Code Example
----
function createMyAccount() {
$email = $_GET['email'];
$name = $_GET['name'];
$password = $_GET['password'];
$hash = hash_pbkdf2('sha256', $password, $email, 100000); // Noncompliant; salt (3rd argument) is predictable because initialized with the provided $email
$hash = hash_pbkdf2('sha256', $password, '', 100000); // Noncompliant; salt is empty
$hash = hash_pbkdf2('sha256', $password, 'D8VxSmTZt2E2YV454mkqAY5e', 100000); // Noncompliant; salt is hardcoded
change the inline-code delimitters
2020-12-23 14:59:06 +01:00
$hash = crypt($password); // Noncompliant; salt is not provided; fails in PHP 8
$hash = crypt($password, ""); // Noncompliant; salt is hardcoded; fails in PHP 8
Add rules 2000-2999
2020-06-30 12:48:07 +02:00
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), // Noncompliant ; use salt generated by default
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options);
}
----
== Compliant Solution
----
$salt = openssl_random_pseudo_bytes(16);
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);
----
include::../see.adoc[]
Reference in New Issue Copy Permalink