CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

mcrypt Deprecation — Migrate to OpenSSL

php PHP 5.0+ Intermediate

TL;DR

mcrypt was deprecated in PHP 7.1 and removed in PHP 7.2 — migrate all encryption to OpenSSL (openssl_encrypt) or libsodium (sodium_crypto_secretbox).

Explanation

mcrypt was PHP's encryption extension for decades — but it was unmaintained since 2007, used outdated algorithms, and had a confusing API. PHP 7.1 deprecated it, PHP 7.2 removed it. Migration: AES-256-CBC via openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv). The correct modern option: libsodium (PHP 7.2+) with sodium_crypto_secretbox() — authenticated encryption preventing tampering. Key management: never hardcode keys, use environment variables or a secrets manager. Always use authenticated encryption (AES-GCM or libsodium) — unauthenticated AES-CBC can be attacked via padding oracle.

Common Misconception

AES-CBC is secure for all use cases — CBC without authentication (HMAC or AEAD) is vulnerable to padding oracle attacks. Use AES-GCM or libsodium instead.

Why It Matters

Any code using mcrypt fails on PHP 7.2+ and was likely using insecure encryption modes. Migration is mandatory and is an opportunity to fix the cryptography.

Common Mistakes

  • Migrating from mcrypt to AES-CBC without adding authentication (HMAC) — still vulnerable.
  • Not using sodium_crypto_secretbox() which handles key+nonce management correctly.
  • Hardcoding encryption keys in source code.

Code Examples

✗ Vulnerable 
// mcrypt — removed in PHP 7.2:
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_CBC);
✓ Fixed 
// Modern libsodium (PHP 7.2+) — authenticated encryption:
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$key = sodium_crypto_secretbox_keygen();
$encrypted = sodium_crypto_secretbox($data, $nonce, $key);

// Decrypt:
$decrypted = sodium_crypto_secretbox_open($encrypted, $nonce, $key);
Added 23 Mar 2026
Views 19

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Unknown AI 3 Perplexity 2 Google 2 ChatGPT 1 Meta AI 1 Ahrefs 1
Also referenced
PHP End-of-Life Schedule & Security Implications 57 Weak Cryptography 29 Deprecation Notices & Migration Strategy 29 PHP 7 Performance — 2x Faster Than PHP 5.6 25
How they use it
crawler 14 crawler_json 1 pre-tracking 1
Related categories
php 6.7k security 4.3k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace mcrypt with libsodium (sodium_crypto_secretbox). Use AES-256-GCM via openssl if libsodium unavailable. Never use CBC without HMAC authentication.
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
mcrypt_encrypt|mcrypt_decrypt
Auto-detectable: ✓ Yes rector phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✗ Manual fix Fix: High Context: Function Tests: Update
CWE-327 CWE-326 CWE-311
✓ schema.org compliant