Deprecated: Function mcrypt_create_iv() is deprecated in /wire/core/Password.php on line 185

Question

Deprecated: Function mcrypt_create_iv() is deprecated in /wire/core/Password.php on line 185

Closed this issue 8 years ago · 10 comments

Just noticed this since upgrading to PHP7.

Happens on login and logout.

Answer 1 · 2016-09-06T19:02:33.000Z

Yes, I think this needs to be looked at. Laravel switched over to Open SSL a version or two ago (can't remember, exactly).

Answer 2 · 2016-09-06T19:12:17.000Z

Although it's pretty weird that it doesn't seem to be listed as deprecated on the PHP site:
http://php.net/manual/en/function.mcrypt-create-iv.php

What about using password_hash
http://php.net/manual/en/function.password-hash.php

Answer 3 · 2016-09-06T19:33:20.000Z

Related: https://wiki.php.net/rfc/mcrypt-viking-funeral
So it looks like this is predominantly PHP 7.1+.

password_hash will raise the min PHP version to 5.5 - not sure what Ryan's stance is on that...

Answer 4 · 2016-09-06T19:38:03.000Z

Good point - I should have mentioned that I was running 7.1 rather than 7.0. They are at RC1 so I thought I'd go for it.

password_hash will raise the min PHP version to 5.5 - not sure what Ryan's stance is on that...

True enough - sounds like fun times ahead dealing with the loss of mcrypt while still being backwards compatible.

Answer 5 · 2016-09-07T04:29:31.000Z

Just bumped into this: ircmaxell/password_compat

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is NOT supported.

Answer 6 · 2016-09-07T04:40:10.000Z

Looks good @mikerockett - given that PW requirements are 5.3.8+ then I guess we should be ok and the 5.3.3 Debian package isn't relevant.

Interesting that one of our own @pine3ree (https://processwire.com/talk/profile/2141-pine3ree/) is a contributor: https://github.com/ircmaxell/password_compat/commits?author=pine3ree

Answer 7 · 2016-09-07T04:55:30.000Z

given that PW requirements are 5.3.8+ then I guess we should be ok and the 5.3.3 Debian package isn't relevant.

True that. 👍 This minimum should be raised at some point. Jumplinks 2 requires at least 5.4, and that already feels ancient.

Answer 8 · 2016-09-20T10:24:11.000Z

We've already got the mcrypt_create_iv call surrounded in a function_exists(), and multiple fallbacks are already in place. I'll wait and see what they do in the password_compat library for PHP 7.1. For now I suppose the best thing to do is add a suppression operator to the function call in order to prevent the deprecated notice in 7.1?

Answer 9 · 2016-09-20T12:57:27.000Z

I think that should suffice for now, if the fallbacks are in place and work.

Answer 10 · 2016-09-20T13:41:36.000Z

Thanks for the info @ryancramerdesign - that sounds fine to me also. I'll leave for you to close, or leave open if you'd prefer it as a reminder that it's really only a temporary solution.