Re: [PHP-DEV] [RFC] deprecate md5_file and sha1_file

This is only part of a thread. view whole thread
  108454
February 11, 2020 09:34 php.lists@allenjb.me.uk (AllenJB)
As others have mentioned, this will do nothing but make people annoyed 
and switch to the hash_file() version of exactly the same thing or put 
up another hurdle to updgrading PHP.

The password hashing API now provides an obvious go-to for password hashing.

For other hashing usages there are, I think, basically two scenarios 
developers find themselves in:

1) I'm using an API or some other external service and that requires the 
use of md5 / sha1 - I don't have a choice

2) What do I use instead? Internet searches return "sha1 / md5 is fine 
for this purpose" or recommend algorithms that aren't natively supported 
in PHP.

The (hash library) documentation does nothing towards helping developers 
decide what algorithms (or even which hash library functions) they 
should use for what purposes (and there are a lot of acronyms that many 
developers are likely to have never encountered that are never explained 
- HMAC, PBKDF2, HKDF).

Yes, of course developers can use third party sources to supplement the 
information in the manual, but who has time to go seartching for that 
(esp. when most of the first page on Google probably tells you md5/sha1 
is fine anyway)?

If you want to change the way developers think about hashing when 
writing PHP, I would start with the documentation rather than 
deprecating functions which are essentially aliases and are highly 
likely used all over the place in cases where they do exactly what 
people want.

AllenJB

On 10/02/2020 21:49, Tom Van Looy via internals wrote:
> Hi > > While in some environments the use of MD5 and SHA1 are still acceptable for > some use cases like file integrity verification etc. the use of these > algorithms should be discouraged and not be your choice when developing new > applications. > > I suggest to deprecated the functions md5_file() and sha1_file(). This will > make people think about upgrading to a better alternative. If you still > need this functionality you can always switch to the hash_file() function. > > Carrying around these two dedicated functions seems a bit too much for a > modern PHP. What do you think? > > My feeling was that this is a no brainer. Should I open an RFC for this? > > Kind regards, > > Tom Van Looy >
  108460
February 11, 2020 11:18 phpmailinglists@gmail.com (Peter Bowyer)
On Tue, 11 Feb 2020 at 09:34, AllenJB lists@allenjb.me.uk> wrote:

> If you want to change the way developers think about hashing when > writing PHP, I would start with the documentation rather than > deprecating functions which are essentially aliases and are highly > likely used all over the place in cases where they do exactly what > people want. >
I agree. It isn't wrong to use MD5 or SHA1 in the right situation (or even CRC32). The documentation can tell people when they can use these algorithms, and when they must not think about using them. Mark them in the documentation as "RECOMMENDED DO NOT USE" and guide people away. Peter