Codeigniter: remove references to mcrypt

Created on 7 Sep 2018  路  4Comments  路  Source: bcit-ci/CodeIgniter

Need to remove use of mcrypt, since it is deprecated in PHP 7.1 AND removed in 7.2.

The manual http://php.net/manual/en/function.mcrypt-create-iv.php states:

Warning

This function was DEPRECATED in PHP 7.1.0, and REMOVED in PHP 7.2.0.

Alternatives to this function include:

random_bytes()
There is an alternate solution if you don't want to use random_bytes(), and it is shown here:

PHP 7 - mcrypt deprecated, need alternative
https://stackoverflow.com/questions/41272257/mcrypt-is-deprecated-what-is-the-alternative

All 4 comments

btw, its in CodeIgniter/system/core/compat/password.php

Need to do your research before opening issues, and being more clear about it when you do.

If you did the first, you'd know we've already covered this. If you did the former, we'd at least know what you're talking about - there's 4 different libraries that use at least a part of mcrypt.

Now, you did do that that last thing while I was writing the reply, but you didn't look literally 5 lines above the mcrypt_create_iv() call that you're referring to ...

BUT why leave it in there?

  1. The particular occurence you're talking about is a forward-compatibility function that only gets declared on PHP versions lower than 5.5, because that's when ext/password was added into PHP - not even remotely affected by the deprecation & removal of mcrypt in PHP 7+.
  2. In other instances it's for backwards-compatibility. Deprecating and removing stuff from PHP doesn't magically modify existing code bases to work without the stuff in question.
  3. Prior to the introduction of random_bytes() in PHP 7, mcrypt_create_iv() was THE best CSPRNG function available in PHP. If you look at the popular random_compat package (linked in the official manual page for random_bytes()) you'd see that even there it is used behind the scenes as a first option.
  4. ext/mcrypt was deprecated because its underlying C shared library - libmcrypt - is abandoned, but contrary to how it might look like, mcrypt_create_iv() is NOT a part of libmcrypt. It's a function written specifically for PHP, because the base libmcrypt lacked a CSPRNG function, which is an essential utility for any cryptographic library. In short, even though mcrypt was deprecated, there's nothing wrong with mcrypt_create_iv() in particular and every expert on the topic will confirm this.

That's why.

Look, I know what you're doing and it's a good thing; I would advocate the same things. But you can't be a hero for technological progress without some effort. You have to do your homework, so to speak, and consider where it's applicable ... Instead, you're just parroting today's popular trend on the topic and putting zero thought into it. Nobody appreciates blind white-knighting.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Struki84 picture Struki84  路  7Comments

olisaagbafor picture olisaagbafor  路  3Comments

mckaygerhard picture mckaygerhard  路  4Comments

rmdhfz picture rmdhfz  路  3Comments

Tjoosten picture Tjoosten  路  6Comments