Mcrypt no longer supported in PHP 7.2 – Secure alternatives

Mcrypt is a thing of the past: here's what you need to do now

In 2017, PHP 7.2 will be released and with this new version, the outdated and unsafe PHP-Mcrypt module will disappear for good. Mcrypt has been discouraged for some time because it is no longer safe and reliable. However, some random samples show that some applications still use these functions. In this blog, we explain why you really don't want to use Mcrypt anymore and what the alternatives are.

What is Mcrypt?

Mcrypt is a PHP extension that enables encryption of information. It allows you to send data securely. However, Mcrypt has many bugs and security vulnerabilities, making it no longer a reliable option. Development of the libmcrypt library, which powers the PHP module, has been halted since 2008. This means that known issues and vulnerabilities are not being fixed. The unreliable random generator makes it even more risky to continue using Mcrypt.

Why not use Mcrypt?

There are a few important reasons not to use Mcrypt:
  1. Insecure cryptographic functions: It is easy to use insecure functions, compromising the security of your application.
  2. Outdated software: The libmcrypt library has not been in development since 2008, so bugs and security issues remain unsolved.
  3. Unreliable encryption: The random generator is not reliable enough for secure encryption.

What are the alternatives to Mcrypt?

Fortunately, there are more secure alternatives available for cryptographic functions in PHP:
  1. libsodium: This is the most efficient and secure method for encryption. From PHP 7.2, libsodium is included by default. Are you using PHP 7.0 or later? Then you can already use the Libsodium PECL extension with us.
  2. Defuse PHP-Encryption: This wrapper for OpenSSL makes it difficult to use insecure PHP functions. If you use Composer, you can install it yourself with: composer require defuse/php-encryption. On our servers, this library is available by default and you can call it with: require_once('defuse-crypto');.
  3. OpenSSL: If you cannot use the above options, you can fall back on the OpenSSL functions that come standard in PHP.

The planning of Mcrypt

Since PHP 7, Mcrypt has been deprecated, meaning that using this function will generate a warning in the error logs. Since PHP 7.2, Mcrypt has been removed entirely, and if you try to call the functions anyway, you will get a fatal error: Fatal error: Call to undefined function mcrypt_*.

What should you do now?

Applications like WordPress, Joomla and Magento no longer use Mcrypt functions in recent versions. So you don't need to change anything in those cases. However, if you have another PHP application yourself, we recommend checking your code. Pay attention to the following functions:

mcrypt_cfb.
mcrypt_cbc.
mcrypt_create_iv.
mcrypt_decrypt.
mcrypt_ecb.
mcrypt_enc_get_algorithms_name.
mcrypt_enc_get_block_size.
mcrypt_enc_get_iv_size.
mcrypt_enc_get_key_size.
mcrypt_enc_get_modes_name.
mcrypt_enc_get_supported_key_sizes.
mcrypt_enc_is_block_algorithm_mode.
mcrypt_enc_is_block_algorithm.
mcrypt_enc_is_block_mode.
mcrypt_enc_self_test.
mcrypt_encrypt.
mcrypt_generic_deinit.
mcrypt_generic_end.
mcrypt_generic_init.
mcrypt_generic.
mcrypt_get_block_size.
mcrypt_get_cipher_name.
mcrypt_get_iv_size.
mcrypt_get_key_size.
mcrypt_list_algorithms.
mcrypt_list_modes.
mcrypt_module_close.
mcrypt_module_get_algo_block_size.
mcrypt_module_get_algo_key_size.
mcrypt_module_get_supported_key_sizes.
mcrypt_module_is_block_algorithm_mode.
mcrypt_module_is_block_algorithm.
mcrypt_module_is_block_mode.
mcrypt_module_openmcrypt_module_self_test.
mcrypt_ofb.
mdecrypt_generic.

You can quickly find code that uses Mcrypt functionality using the following shell command:

lh_mcrypt_functions=(“mcrypt_encrypt” \
“mcrypt_create_iv” \

“mcrypt_cfb” \

“mcrypt_cbc” \

“mcrypt_create_iv” \

“mcrypt_decrypt” \

“mcrypt_ecb” \

“mcrypt_enc_get_algorithms_name”\

“mcrypt_enc_get_block_size” \

“mcrypt_enc_get_iv_size”\

“mcrypt_enc_get_key_size” \

“mcrypt_enc_get_modes_name” \

“mcrypt_enc_get_supported_key_sizes” \

“mcrypt_enc_is_block_algorithm_mode” \

“mcrypt_enc_is_block_algorithm” \

“mcrypt_enc_is_block_mode” \

“mcrypt_enc_self_test” \

“mcrypt_encrypt” \

“mcrypt_generic_deinit” \

“mcrypt_generic_end” \

“mcrypt_generic_init” \

“mcrypt_generic” \

“mcrypt_get_block_size” \

“mcrypt_get_cipher_name” \

“mcrypt_get_iv_size” \

“mcrypt_get_key_size” \

“mcrypt_list_algorithms” \

“mcrypt_list_modes” \

“mcrypt_module_close” \

“mcrypt_module_get_algo_block_size”\

“mcrypt_module_get_algo_key_size” \

“mcrypt_module_get_supported_key_sizes” \

“mcrypt_module_is_block_algorithm_mode” \

“mcrypt_module_is_block_algorithm” \

“mcrypt_module_is_block_mode”\

“mcrypt_module_openmcrypt_module_self_test” \

“mcrypt_ofb” \

“mdecrypt_generic” \

)

find_lh_mcrypt_functions=$(echo ${lh_mcrypt_functions[@]}|tr ” ” “|”)

grep -Ern –include “*.php” “$find_lh_mcrypt_functions” .

    • Related Articles

    • DKIM: Setting up on Plesk

      Emails sent from your Plesk server(s) are considered reliable when it is equipped with DKIM. We will tell you in this blog: how to enable DKIM on your Plesk server you can set this on the desired Plesk packages you can add the DKIM DNS records to the ...

    • SaaS platform WiQhit chooses managed hosting from LinQhost

      As of March 2020, personalization software company WiQhit.com uses LinQhost services. We now provide hosting and management of the WiQhit SAAS platform. “That move was an exciting step,” admits Paul Stam (CTO of WiQhit). “It’s like your child leaving ...

    • Ibdata is eating up my disk space

      In a previous life, when I first started using MySQL, we only had MyISAM table space in MySQL. This was not ACID compliant, which meant it was very error prone with crashes and so on. Things changed when MySQL added the InnoDB storage engine. But ...

    • Migrate Email with ImapSync

      When moving your website to LinQhost, transferring the website files and databases is not a problem. When it comes to your e-mail, this becomes a bit more difficult. Here is a step-by-step plan to also migrate your e-mail via imap to your new mail ...

    • Add domain to spam filter

      As a LinQhost customer, it has recently become possible for you to manage your own spam filter. You can register domains on the spam filter yourself, remove emails from quarantine and of course set up your own whitelist/blacklist. Register domain on ...