Deprecated: Function mcrypt_create_iv() is deprecated in /wire/core/Password.php on line 185

[adrianbj]

Just noticed this since upgrading to PHP7.

Happens on login and logout.

[mikerockett]

Yes, I think this needs to be looked at. Laravel switched over to Open SSL a version or two ago (can't remember, exactly).

[adrianbj]

Although it's pretty weird that it doesn't seem to be listed as deprecated on the PHP site: http://php.net/manual/en/function.mcrypt-create-iv.php

What about using password_hash http://php.net/manual/en/function.password-hash.php

[mikerockett]

Related: https://wiki.php.net/rfc/mcrypt-viking-funeral So it looks like this is predominantly PHP 7.1+.

password_hash will raise the min PHP version to 5.5 - not sure what Ryan's stance is on that...

[adrianbj]

Good point - I should have mentioned that I was running 7.1 rather than 7.0. They are at RC1 so I thought I'd go for it.

password_hash will raise the min PHP version to 5.5 - not sure what Ryan's stance is on that...

True enough - sounds like fun times ahead dealing with the loss of mcrypt while still being backwards compatible.

[mikerockett]

Just bumped into this: ircmaxell/password_compat

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides). Note that Debian's 5.3.3 version is NOT supported.

[adrianbj]

Looks good @mikerockett - given that PW requirements are 5.3.8+ then I guess we should be ok and the 5.3.3 Debian package isn't relevant.

Interesting that one of our own @pine3ree (https://processwire.com/talk/profile/2141-pine3ree/) is a contributor: https://github.com/ircmaxell/password_compat/commits?author=pine3ree

[mikerockett]

given that PW requirements are 5.3.8+ then I guess we should be ok and the 5.3.3 Debian package isn't relevant.

True that. :+1: This minimum should be raised at some point. Jumplinks 2 requires at least 5.4, and that already feels ancient.

[ryancramerdesign]

We've already got the mcrypt_create_iv call surrounded in a function_exists(), and multiple fallbacks are already in place. I'll wait and see what they do in the password_compat library for PHP 7.1. For now I suppose the best thing to do is add a suppression operator to the function call in order to prevent the deprecated notice in 7.1?

[mikerockett]

I think that should suffice for now, if the fallbacks are in place and work.

[adrianbj]

Thanks for the info @ryancramerdesign - that sounds fine to me also. I'll leave for you to close, or leave open if you'd prefer it as a reminder that it's really only a temporary solution.