sha256 only in PHP 5?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

sha256 only in PHP 5?

Post by kaisellgren »

Hi,

Is hash("sha256","string"); only usable in PHP 5 or does it work in version 4 too?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

If I remember right it's only php 5. But can be added to php4 with an Pecl extension
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

I was just reading that line from the doc... and I guess pecl installing is not very popular? So maybe I'll forget sha256 then because my script would be used by different servers and some of them are running php 4 without any possibilities of instlling pecls.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

I have no experience with pecl extensions, but if I'm correct you could download the extensions themselves and therefore it would be possible to bundle them together with your script.

And otherwise there's feyd's SHA256 Hashing Algorithm
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Yep, my class is there for environments where the hash extension is not enabled. I'm hoping to get the 2.0 interface out during Winter break, which starts tomorrow afternoon, that will have a completely different way of interacting with it and be far more flexible, tight and clean.

Anyways, I've tested my class in at late at 4.4.4. Provided E_STRICT is off, it should also run fine in 5, but I haven't really tested it.

2.0 will have separate versions for 4 and 5. The 5 branch will attempt to detect the availability of the hashing extension and use it where possible, however some operations will require the pure php implementation.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

Feyd you are very helpful man and thanks for that :)

What do you think as a hashmaster, what of these is the most secure way to protect data?

$str = "to be hashed";
sha1(md5($str));
md5(sha1($str));
md5($str);
sha1($str);

Your library seemed very good, but to avoid any possible bugs, I decided not to use any non-rebuild functions as they may be a little unstable. Not saying your is unstable, but I do not want to take any risks.

PS. Sorry for spelling your name with capitalized 'F', I just always start a sentence with capitalized letter...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sha1() alone is more secure than the other three.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Post by kaisellgren »

feyd wrote:sha1() alone is more secure than the other three.
Okay thank you, I trust you :)
Post Reply