On 27 July 2024 00:58:17 BST, Morgan <[email protected]> wrote:
>
>I'm not talking about the MD5 or SHA1 algorithms or whether they should or shouldn't
>be used. I'm just talking about the functions themselves. md5(), md5_file(), sha1(), and
>sha1_file(). They only exist because there wasn't the generic hash algorithm extension when
>they were created.
I understand what is being claimed (and you're not the only one claiming it), I'm just not
convinced it's true. I think they have standalone functions for the same reason we added
str_contains and str_starts_with - because it's convenient to have straightforward functions
for common use cases.
The hash() function is like a 60-piece set of interchangeable screwdriver heads, which only
professionals and enthusiasts need; md5() and sha1() are like the flat-head and Phillips
screwdrivers that everyone has in a drawer somewhere.
The thing that always surprises me is that PHP *doesn't* have a standalone function for
SHA-256, which is the only other I've ever used.
To continue the analogy, we're missing a Pozidriv screwdriver, so people are misusing the
Phillips one. The RFC is suggesting that we take away their flat-head and Phillips screwdrivers, and
leave them with the 60-piece set, and no instructions.
My suggestion is we instead give them a Pozidriv screwdriver, and write some tips on how to use it
correctly.
Regards,
Rowan Tommins
[IMSoP]