diff --git a/functions.inc.php b/functions.inc.php
index a323f8cd..091e45e4 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -888,37 +888,57 @@ function validate_password($password) {
     return $result;
 }
 
-function _pacrypt_md5crypt($pw, $pw_db) {
-    $split_salt = preg_split('/\$/', $pw_db);
-    if (isset($split_salt[2])) {
-        $salt = $split_salt[2];
-        return md5crypt($pw, $salt);
+/**
+ * @param string $pw
+ * @param string $pw_db - encrypted hash
+ * @return string crypt'ed password, should equal $pw_db if $pw matches the original
+ */
+function _pacrypt_md5crypt($pw, $pw_db = '') {
+    if ($pw_db) {
+        $split_salt = preg_split('/\$/', $pw_db);
+        if (isset($split_salt[2])) {
+            $salt = $split_salt[2];
+            return md5crypt($pw, $salt);
+        }
     }
 
     return md5crypt($pw);
 }
 
-function _pacrypt_crypt($pw, $pw_db) {
+function _pacrypt_crypt($pw, $pw_db = '') {
     if ($pw_db) {
         return crypt($pw, $pw_db);
     }
     return crypt($pw);
 }
 
-function _pacrypt_mysql_encrypt($pw, $pw_db) {
+/**
+ * Crypt with MySQL's ENCRYPT function
+ *
+ * @param string $pw
+ * @param string $pw_db (hashed password)
+ * @return string if $pw_db and the return value match then $pw matches the original password.
+ */
+function _pacrypt_mysql_encrypt($pw, $pw_db = '') {
     // See https://sourceforge.net/tracker/?func=detail&atid=937966&aid=1793352&group_id=191583
     // this is apparently useful for pam_mysql etc.
-    $pw = escape_string($pw);
-    if ($pw_db!="") {
-        $values = array('pw' => $pw_db, 'salt' => substr($pw_db, 0, 2));
-        $res = db_query_one("SELECT ENCRYPT(:pw,:salt) as result", $values);
+
+    if ( $pw_db ) {
+        $res = db_query_one("SELECT ENCRYPT(:pw,:pw_db) as result", ['pw' => $pw, 'pw_db' => $pw_db]);
     } else {
-        $res= db_query_one("SELECT ENCRYPT(:pw) as result", array('pw' => $pw));
+        $res= db_query_one("SELECT ENCRYPT(:pw) as result", ['pw' => $pw]);
     }
 
     return $res['result'];
 }
 
+/**
+ * Create/Validate courier authlib style crypt'ed passwords. (md5, md5raw, crypt, sha1)
+ *
+ * @param string $pw
+ * @param string $pw_db (optional)
+ * @return string crypted password - contains {xxx} prefix to identify mechanism.
+ */
 function _pacrypt_authlib($pw, $pw_db) {
     global $CONF;
     $flavor = $CONF['authlib_default_flavor'];
@@ -945,11 +965,13 @@ function _pacrypt_authlib($pw, $pw_db) {
 }
 
 /**
+ * Uses the doveadm pw command, crypted passwords have a {...} prefix to identify type.
+ *
  * @param string $pw - plain text password
  * @param string $pw_db - encrypted password, or '' for generation.
- * @return string
+ * @return string crypted password
  */
-function _pacrypt_dovecot($pw, $pw_db) {
+function _pacrypt_dovecot($pw, $pw_db = '') {
     global $CONF;
 
     $split_method = preg_split('/:/', $CONF['encrypt']);
@@ -1040,9 +1062,11 @@ function _pacrypt_dovecot($pw, $pw_db) {
 }
 
 /**
+ * Supports DES, MD5, BLOWFISH, SHA256, SHA512 methods.
+ *
  * @param string $pw
  * @param string $pw_db (can be empty if setting a new password)
- * @return string
+ * @return string crypt'ed password; if it matches $pw_db then $pw is the original password.
  */
 function _pacrypt_php_crypt($pw, $pw_db) {
     global $CONF;
@@ -1177,12 +1201,13 @@ function _php_crypt_random_string($characters, $length) {
 /**
  * Encrypt a password, using the apparopriate hashing mechanism as defined in
  * config.inc.php ($CONF['encrypt']).
+ *
  * When wanting to compare one pw to another, it's necessary to provide the salt used - hence
  * the second parameter ($pw_db), which is the existing hash from the DB.
  *
  * @param string $pw
  * @param string $pw_db optional encrypted password
- * @return string encrypted password.
+ * @return string encrypted password - if this matches $pw_db then the original password is $pw.
  */
 function pacrypt($pw, $pw_db="") {
     global $CONF;
@@ -1213,12 +1238,15 @@ function pacrypt($pw, $pw_db="") {
     die('unknown/invalid $CONF["encrypt"] setting: ' . $CONF['encrypt']);
 }
 
-//
-// md5crypt
-// Action: Creates MD5 encrypted password
-// Call: md5crypt (string cleartextpassword)
-//
-
+/**
+ * Creates MD5 based crypt formatted password.
+ * If salt is not provided we generate one.
+ *
+ * @param string $pw plain text password
+ * @param string $salt (optional)
+ * @param string $magic (optional)
+ * @return string hashed password in crypt format.
+ */
 function md5crypt($pw, $salt="", $magic="") {
     $MAGIC = "$1$";
 
@@ -1286,6 +1314,9 @@ function md5crypt($pw, $salt="", $magic="") {
     return "$magic$salt\$$passwd";
 }
 
+/**
+ * @return string - should be random, 8 chars long
+ */
 function create_salt() {
     srand((int) microtime()*1000000);
     $salt = substr(md5("" . rand(0, 9999999)), 0, 8);
@@ -1631,7 +1662,7 @@ function db_sqlite() {
  * @param array $values
  * @return array
  */
-function db_query_all($sql, array $values = array()) {
+function db_query_all($sql, array $values = []) {
     $r = db_query($sql, $values);
     return $r['result']->fetchAll(PDO::FETCH_ASSOC);
 }
@@ -1641,7 +1672,7 @@ function db_query_all($sql, array $values = array()) {
  * @param array $values
  * @return array
  */
-function db_query_one($sql, array $values = array()) {
+function db_query_one($sql, array $values = []) {
     $r = db_query($sql, $values);
     return $r['result']->fetch(PDO::FETCH_ASSOC);
 }
@@ -1653,7 +1684,7 @@ function db_query_one($sql, array $values = array()) {
  * @param bool $throw_errors
  * @return int number of rows affected by the query
  */
-function db_execute($sql, array $values = array(), $throw_errors = false) {
+function db_execute($sql, array $values = [], $throw_errors = false) {
     $link = db_connect();
 
     try {