== How to fix it in Core PHP

=== Code examples

include::../../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
$salt = 'salty';
$hash = hash_pbkdf2('sha256', $password, $salt, 100000); // Noncompliant
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
$salt = random_bytes(16);
$hash = hash_pbkdf2('sha256', $password, $salt, 100000);
----

=== How does this work?

include::../../common/fix/salt.adoc[]

Here, the compliant code example ensures the salt is random and has a sufficient
length by calling the `random_bytes` function with a length parameter set to 16.
This one internally uses a cryptographically secure pseudo random number
generator.