mcrypt_get_iv_size() is deprecated in PHP 7.1

[akak0r]

Please note the following error in PHP 7.1:

PHP Deprecated: Function mcrypt_get_iv_size() is deprecated in /hashover/scripts/encryption.php on line 44.

It's probably a good idea to remove the mcrypt dependancy, since it will be removed in PHP 7.2 (and is already deprecated in PHP 7.1).

http://php.net/manual/en/function.mcrypt-get-iv-size.php

Use OpenSSL instead:
http://php.net/manual/en/function.openssl-encrypt.php

[jacobwb]

Hello, thanks for pointing this out!

The problem is HashOver uses Mcrypt, which has been deprecated in PHP 7.1. You can workaround this for now by using PHP 5.x, if that is an option.

Regardless, a fix will be posted soon, hang tight...

[leem32]

I have the same issue as the op in localhost using xampp and Windows 7. PHP 7.1.1

The console gives the message:
SyntaxError: expected expression, got '<' hashover-javascript.php:1

And PHP response:
Deprecated: Function mcrypt_get_iv_size() is deprecated in C:\xampp\htdocs\hashover\scripts\encryption.php on line 44

Is there any other way around this issue until the library is updated. I've tried suppressing the error but it's still not displaying the comments.

Using PHP 5.x is not an option for me, unfortunately.

[leem32]

I couldn't wait so I've answered my own issue and changed the code to use openssl in the place of the deprecated mcrypt and the comments are now displaying when using PHP 7.1

If you have the same problem then here's the updated code:

Go to encryption.php and change the Encryption class to the below code

note: This code uses the aes-256-gcm algorithm so won't work pre PHP 7.1.0. Apparently, this algo is the most secure and faster than the others.
If you need the code to work for older PHP versions then just change protected $cipher = 'aes-256-gcm'; found in the encryption class to protected $cipher = 'aes-256-cbc'; and also remove all references to the $tag variable.

class Encryption
{
    protected $prefix;
    protected $cost = '$10$';
    protected $cipher = 'aes-256-gcm';
    protected $iv;
    protected $encryption_key;

    public function __construct () {
	$this->prefix = (version_compare (PHP_VERSION, '5.3.7') < 0) ? '$2a' : '$2y';
        $this->encryption_key = base64_encode(openssl_random_pseudo_bytes(32));
        $this->iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($this->cipher));
    }

	// Creates Blowfish hash for passwords
	public function createHash ($str)
	{
		// Generate alphameric array
		$alphabet = str_split ('aAbBcCdDeEfFgGhHiIjJkKlLmM.nNoOpPqQrRsStTuUvVwWxXyYzZ/0123456789');
		shuffle ($alphabet);
		$salt = '';

		// Generate random 20 character alphameric string
		foreach (array_rand ($alphabet, 20) as $alphameric) {
			$salt .= $alphabet[$alphameric];
		}

		// Return hashed string
		return crypt ($str, $this->prefix . $this->cost . $salt . '$$');
	}

	// Creates Blowfish hash with salt from supplied hash; returns true if both match
	public function verifyHash ($str, $compare)
	{
		$salt = explode ('$', $compare);
		$hash = crypt ($str, $this->prefix . $this->cost . $salt[3] . '$$');

		return ($hash === $compare) ? true : false;
	}

// encrypt  string
 public function encrypt ($str) {

   // Remove the base64 encoding from our key
    $encrypt_key = base64_decode($this->encryption_key);

    // Encrypt the data using AES 256 encryption in gcm mode using our encryption key and initialization vector.
    $encrypted = openssl_encrypt($str, $this->cipher, $encrypt_key, $options=0, $this->iv, $tag);

        // Return encrypted value and list of encryption hash array keys
        return array (
            'encrypted' => base64_encode ($encrypted),
            'keys' => $this->cipher . ',' . $this->encryption_key . ',' . base64_encode($this->iv) . ',' . base64_encode($tag)
        );
    }

// Decrypt openssl_encrypt string
public function decrypt ($str, $encrypted_keys) {

if (!empty ($str) && !empty ($encrypted_keys)) {

    $decrypted = base64_decode($str, true);

   list($cipher, $encrypt_key, $iv, $tag) = explode(',', $encrypted_keys);

        $encrypt_key = base64_decode($encrypt_key);
        $iv = base64_decode($iv);
        $tag = base64_decode($tag);

     if ($decrypted !== false and !empty ($decrypted)) {

         $decrypted = openssl_decrypt($decrypted, $cipher, $encrypt_key, $options=0, $iv, $tag);

         return $decrypted;

            }
        }
        return false;
    }
}

The code is written in a way that slots straight into the existing code so there's no need to change anything else.

Edit: Made slight change to encrypt and decypt functions, setting returned keys in encrypt as a string instead of array because it was causing an error (setcookie expects param 2 to be string array given) when posting and replying to comments and preventing ajax from working.

Edit 2: base64 encoded iv and tag variables so the encrypted xml in the pages folder don't have any invalid characters. Without doing this you get an error when logged in and you provided an email address which prevents your comments from displaying and instead showing 'Something went wrong. Could not retrieve this comment. '.

[jorgesumle]

@leem32, can you create a pull request?