[9.x] Fix deprecation warning when comparing a password against a NULL database password
#44986
Conversation
|
A password in the database should never be null. Just generate passwords for all users. |
In that case, should passwords in the database ever be empty strings? |
|
We have a system that allows users to invite other users. When the user is invited, an account is created with a If passwords in the database should never be |
|
By default, a password is not nullable in Laravel: I can't speak for empty strings. |
|
I believe this commit a36f1fe was added to fix errors if null was passed in as the hashed password. Would be good to hear from @GrahamCampbell to know if that was the case. |
|
I don't understand why your tests were using |
|
Yes they should have been |
|
Thanks - just checking |
This used to be dealt with via a
strlen(null)check added in this commita36f1fe
@GrahamCampbell I'd appreciate if you could cast your eye over this change.
strlen(null)used to return 0 as shown in this PHP docs comment, however since PHP 8.0, passing null to strlen() has been deprecated.I think this check has always been a null check as passing an empty string as the second parameter to
password_verify()has always been permitted and throws no level of warning or error.To be on the safe side I have also added tests for when
$hashedValueis passed in as an empty string.We're are seeing a lot of deprecation notices as in our system it is possible for users to have a NULL password in the database until they have activated their account and setup a password.