31 lines
749 B
Plaintext
31 lines
749 B
Plaintext
== How to fix it in Core PHP
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
$salt = 'salty';
|
|
$hash = hash_pbkdf2('sha256', $password, $salt, 100000); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
$salt = random_bytes(16);
|
|
$hash = hash_pbkdf2('sha256', $password, $salt, 100000);
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/salt.adoc[]
|
|
|
|
Here, the compliant code example ensures the salt is random and has a sufficient
|
|
length by calling the `random_bytes` function with a length parameter set to 16.
|
|
This one internally uses a cryptographically secure pseudo random number
|
|
generator.
|