On 2024-07-29 18:47, Rowan Tommins [IMSoP] wrote:
On 29 July 2024 02:19:23 BST, Morgan <weedpac...@varteg.nz> wrote:At that point you've got \PHP\sha3() instead of hash("sha3-?"), and now you've (a) lost the word "hash" indicator of what's going on, and (b) hidden the choice of "?" from the user. I'm not really seeing an improvement.Once again, you're assuming users have any idea a) what the numbers in the SHA3 variants mean, and b) how to choose between them. I've seen plenty of uses of SHA-256 in the wild, and none of the other SHA2 variants. I don't know why, I presume people with far more knowledge than me have decided that is a good choice of variant. So when I'm looking for "something better than sha1()", I look for sha256(), remember it doesn't exist, and write hash('sha256', ...) If I'm doing it wrong, and should be making some calculation to choose SHA-382 or SHA-512, please let me know. But don't assume that just forcing me to put the algorithm name in qoute marks is going to make me know, or care, what the name actually means. Regards, Rowan Tommins [IMSoP]
It sounds like the argument for retaining md5() and sha1(), and adding to them isn't that they're easier to use in themselves, but that hash() offers too many alternatives. If PHP were to offer _one_ specific hash function (that's "one on top of those that it already offers") that can be used without thinking, and leave hash() to those who may have to deal with those alternatives - presumably they already know what they're doing or they wouldn't be dealing with them.
That still doesn't protect md5() and sha1() from deprecation; if there is a PHP-mandated default hash algorithm that gets its own name, then users should be encouraged to use that one, which means not leaving the others lying around to for it to hide among. Anyone who needs to continue to support the old algorithms can ... use hash().
When it comes to advice about which to use, that seems less the purview of a PHP reference manual for the function, and more something like
https://csrc.nist.gov/projects/hash-functions
