PHP currently has dedicated functions for calculating MD5 and SHA-1 hashes, both of which were once common but are now considered broken from a security point of view. It is widely recommended to use SHA-256 for the purposes these were previously suited to, but PHP lacks dedicated functions to do so. This RFC proposes to add functions for calculating a SHA-256 hash from a string (sha256()), and from a file (sha256_file()). It also proposes to move these functions from ext/standard to ext/hash, primarily as an aid to organising the official manual.
The following new functions will be added:
A proposal to deprecate the md5(), sha1(), md5_file(), and sha1_file() functions in the bulk deprecations for PHP 8.4 RFC was declined. Its rationale said, in part:
Unfortunately these cryptographically secure hash functions are only available by means of the generic
hash()function (and the closely relatedhash_init(),hash_file(), andhash_hmacfunctions), making using them more verbose and thus seemingly more complicated than the standalonemd5(),sha1(),md5_file(), andsha1_file()functions [...]
The hash() family of functions (including hash_file, hash_init(), and more) form a powerful “toolkit”
sha224(), sha256(), sha384(), and sha512()), four variants of SHA-3, two of SHAKE, and two of BLAKE2. The SHA-3, SHAKE, and BLAKE2 algorithms were added in Python 3.6 (2016).MD5, SHA1, SHA256, SHA384, SHA512, SHA3_256, SHA3_384, and SHA3_512; separate classes (outside of that hierarchy) also exist for Shake128 and Shake256.SHA256, SHA384, and SHA512.Digest::SHA2.new(bitlen) and short-hand Digest::SHA256, Digest::SHA384, and Digest::SHA512).md5, sha1, sha256 (which also implements SHA-224), and sha512 (which also implements SHA-384, SHA-512/224 and SHA-512/256).Some databases also provide standalone functions for common hashing algorithms:
md5() and sha1(), plus a combined ''sha2()'' function which takes an argument to select SHA-224, SHA-256, SHA-384, or SHA-512. sha224(), sha256(), sha384(), and sha512() functions since version 11.0 (released in 2018). Prior versions offered only md5() outside of an optional extension, as discussed in the patch proposing them.MD2, MD4, MD5, SHA, SHA1, SHA2_256, and SHA2_512 (the algorithm older than SHA-2 log a deprecation notice)crc32(), md5() and sha1; sha256() and sha512() variants of SHA-2, plus two variants of SpookyHashV2, one of xxHash, and one of Murmur3What breaks, and what is the justification for it?
List the proposed PHP versions that the feature will be included in. Use relative versions such as “next PHP 8.x” or “next PHP 8.x.y”.
Describe the impact to CLI, Development web server, embedded PHP etc.
Will existing extensions be affected?
It is necessary to develop RFC's with opcache in mind, since opcache is a core extension distributed with PHP.
Please explain how you have verified your RFC's compatibility with opcache.
Describe any new constants so they can be accurately and comprehensively explained in the PHP documentation.
If there are any php.ini settings then list:
Make sure there are no open issues when the vote starts!
List existing areas/features of PHP that will not be changed by the RFC.
This helps avoid any ambiguity, shows that you have thought deeply about the RFC's impact, and helps reduces mail list noise.
This section details areas where the feature might be improved in future, but that are not currently proposed in this RFC.
Include these so readers know where you are heading and can discuss the proposed voting options.
Links to any external patches and tests go here.
If there is no patch, make it clear who will create a patch, or whether a volunteer to help with implementation is needed.
Make it clear if the patch is intended to be the final patch, or is just a prototype.
For changes affecting the core language, you should also provide a patch for the language specification.
After the project is implemented, this section should contain
Links to external references, discussions or RFCs
Keep this updated with features that were discussed on the mail lists.