On Sun, Jul 28, 2024, at 00:14, Morgan wrote: > On 2024-07-28 00:36, Rowan Tommins [IMSoP] wrote: > > > > > > On 27 July 2024 00:58:17 BST, Morgan <weedpac...@varteg.nz> wrote: > >> > >> I'm not talking about the MD5 or SHA1 algorithms or whether they should or > >> shouldn't be used. I'm just talking about the functions themselves. md5(), > >> md5_file(), sha1(), and sha1_file(). They only exist because there wasn't > >> the generic hash algorithm extension when they were created. > > > > I understand what is being claimed (and you're not the only one claiming > > it), I'm just not convinced it's true. > > I'm just looking at the manual's version information about when the > functions were introduced. Seems pretty unambiguous: md5, sha1, hash: > versions 3, 4, and 5 (via PECL). > > > I think they have standalone functions for the same reason we added > str_contains and str_starts_with - because it's convenient to have > straightforward functions for common use cases. > > > Because there weren't any purpose-built functions that did the job, > forcing users to use other functions in expensive ways for what is > internally a pretty simple task. There is a purpose-built function for > hashing. > > > The hash() function is like a 60-piece set of interchangeable screwdriver > > heads, which only professionals and enthusiasts need; md5() and sha1() are > > like the flat-head and Phillips screwdrivers that everyone has in a drawer > > somewhere. > > > > The thing that always surprises me is that PHP *doesn't* have a standalone > > function for SHA-256, which is the only other I've ever used. > > > > Why a SHA2 algorithm? Why not a SHA3 one? How about standalone functions > for both, and then when SHA4 comes along (as it inevitably will) another > standalone function for one of its variants? > > > > To continue the analogy, we're missing a Pozidriv screwdriver, so people > > are misusing the Phillips one. The RFC is suggesting that we take away > > their flat-head and Phillips screwdrivers, and leave them with the 60-piece > > set, and no instructions. > > > > My suggestion is we instead give them a Pozidriv screwdriver, and write > > some tips on how to use it correctly. > > > Or leave them them the 60-piece set (which includes flat-head and > Phillips screwdrivers, so they're not being taken away), and write some > tips on how to use it correctly. > > > Regards, > > Rowan Tommins > > [IMSoP] >
I'd love to see a "hashing" namespace and all of these given their own functions with docblocks and manual pages instead of the current generic "god of hash" page which doesn't even list the hash functions available; you have to click on hash_algos and then look at the var_dump of hash algorithms. From there, you can google each one and try to understand what each one is good at and why you would use murmur3a over murmer3f, then try to figure out which one is the version that is compatible with javascript but not compatible with c# or maybe the other way around... (I recently got to go on that ride). If we are going to deprecate the standalone functions (see the sha1 page, which at least links to a page about the sha1 algorithm, or the md5 rfc, which links to the md5 rfc) we should seriously invest in documenting these hashing algorithms and explaining them. In the very least, link to their respective RFCs. — Rob
