On 2024-07-28 00:36, Rowan Tommins [IMSoP] wrote:
On 27 July 2024 00:58:17 BST, Morgan <
[email protected]> wrote:
I'm not talking about the MD5 or SHA1 algorithms or whether they should or shouldn't be used. I'm just talking about the functions themselves. md5(), md5_file(), sha1(), and sha1_file(). They only exist because there wasn't the generic hash algorithm extension when they were created.
I understand what is being claimed (and you're not the only one claiming it), I'm just not convinced it's true.
I think they have standalone functions for the same reason we added str_contains and str_starts_with - because it's convenient to have straightforward functions for common use cases.
Because there weren't any purpose-built functions that did the job, forcing users to use other functions in expensive ways for what is internally a pretty simple task. There is a purpose-built function for hashing.
The hash() function is like a 60-piece set of interchangeable screwdriver heads, which only professionals and enthusiasts need; md5() and sha1() are like the flat-head and Phillips screwdrivers that everyone has in a drawer somewhere.
The thing that always surprises me is that PHP *doesn't* have a standalone function for SHA-256, which is the only other I've ever used.
Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functions for both, and then when SHA4 comes along (as it inevitably will) another standalone function for one of its variants?
To continue the analogy, we're missing a Pozidriv screwdriver, so people are misusing the Phillips one. The RFC is suggesting that we take away their flat-head and Phillips screwdrivers, and leave them with the 60-piece set, and no instructions.
My suggestion is we instead give them a Pozidriv screwdriver, and write some tips on how to use it correctly.
Or leave them them the 60-piece set (which includes flat-head and Phillips screwdrivers, so they're not being taken away), and write some tips on how to use it correctly.
Regards,
Rowan Tommins
[IMSoP]