PHP RFC: Hash Functions Empty Key Warning


In order to increase security of the hashing functions, this RFC proposes raising a warning when the key is empty for hash_hmac(), hash_hmac_file() & mhash().


It's not uncommon to accidentally hash data with an empty or non-string key. Doing this has security implications that currently happen quietly in the background since PHP has no issue hashing data with an empty key. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.

Ideally this would throw a fatal error, but as Enrico Zimuel pointed out, it's not technically an error.

Proposed PHP Version(s)

PHP 7.1

Proposed Voting Choices

This project requires a 2/3 majority to pass.

Patches and Tests

The patch is very light weight - most of it is just the tests.

rfc/hash-functions-empty-key-warning.txt · Last modified: 2017/09/22 13:28 (external edit)