{"id":18540096,"url":"https://github.com/alin11/php-security-functions","last_synced_at":"2026-03-19T04:58:36.356Z","repository":{"id":135421271,"uuid":"176723660","full_name":"AliN11/php-security-functions","owner":"AliN11","description":"Complete guide to PHP hash and encryption functions","archived":false,"fork":false,"pushed_at":"2019-04-13T14:27:20.000Z","size":33,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-15T03:42:49.451Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AliN11.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-20T11:58:48.000Z","updated_at":"2023-01-12T15:03:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"4f7dc35b-84c9-4831-8e68-b49416508457","html_url":"https://github.com/AliN11/php-security-functions","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/AliN11/php-security-functions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliN11%2Fphp-security-functions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliN11%2Fphp-security-functions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliN11%2Fphp-security-functions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliN11%2Fphp-security-functions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AliN11","download_url":"https://codeload.github.com/AliN11/php-security-functions/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AliN11%2Fphp-security-functions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28755918,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-25T16:32:25.380Z","status":"ssl_error","status_checked_at":"2026-01-25T16:32:09.189Z","response_time":113,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T19:53:01.365Z","updated_at":"2026-01-25T17:31:27.998Z","avatar_url":"https://github.com/AliN11.png","language":null,"readme":"  # PHP Security Functions\n\n*Updating...*\n\nA complete guide to PHP hash and encryption functions\n\nI'll answer these questions for each items:\n\n  - What is it?\n  - How to use it?\n  - When to use it?\n  - When not to use it?\n\n\n\n  ## MD5\n**What is it?**\n\nIt is a **one-way** cryptographic function that accepts a message of **any length** as input and returns as output a **fixed-length** (128 bit) digest value to be used for authenticating the original message.\n\n\n\n\u003cbr\u003e\n\n\n\n**How to use it?**\n\n  ```php\nmd5 ( string $str [, bool $raw_output = FALSE ] ) : string\n  ```\n\nIf the optional `$raw_output` is set to true, the plain binary string of the hash will be returned. This is only useful if you need to store or transfer the hash in a binary format.  [🔗](https://stackoverflow.com/a/7811439/3578287)\n\n  ```php\n  $str = 'I love you';\n\n  $hash = md5($str); // e4f58a805a6e1fd0f6bef58c86f9ceb3\n  $hash = md5($str, true); // ����Zn\u001f�������γ\n  ```\n\n\n\n\u003cbr\u003e\n\n\n\n**When to use it?**\n\nFor non-security cases, e.g. generating random string for file names. \n\n\n\n\u003cbr\u003e\n\n\n\n**When not to use it?**\n\nAs php.net says, it is not recommended to use md5 to secure passwords:\n\n  \u003e  Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to \"brute force\" the output of these algorithms, in order to determine the original input.\n  \u003e\n  \u003e  Because of how quickly a modern computer can \"reverse\" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.\n\n\n\n\u003cbr\u003e\n\n\n\n  ## SHA1\n\n**What is it?**\n\nIt is a **one-way** cryptographic function that accepts a message of **any length** as input and returns as output a **fixed-length** (160 bit) digest value to be used for authenticating the original message. It is more secure but slower than MD5\n\n\n\n\u003cbr\u003e\n\n\n\n**How to use it?**\n\n  ```php\nsha1 ( string $str [, bool $raw_output = FALSE ] ) : string\n  ```\nThe optional `$raw_output` is similar to [MD5](https://github.com/AliN11/php-security-functions#md5).\n\n  ```php\n$str = 'I love you';\n\n$hash = sha1($str); // ce48c9870c7ae19796438aed65458c8bdc335157\n$hash = sha1($str, true); // �Hɇ\fzᗖC��eE���3QW\n  ```\n\n\n\n\u003cbr\u003e\n\n\n\n**When to use it**\n\nFor non-security cases, e.g. generating random string for file names. \n\nNot all hash uses are security-related. Git uses SHA1 to cheaply distinguish between objects. In that case, because the possibility of collision between two documents is incredibly small with SHA1, there really is no justification for the additional space requirement of SHA512 when SHA1 is more than suitable for the task. [🔗](https://stackoverflow.com/a/2640600/3578287) [🔗](https://stackoverflow.com/questions/2640566/why-use-sha1-for-hashing-secrets-when-sha-512-is-more-secure#comment2655203_2640566)\n\n\n\n\u003cbr\u003e\n\n\n\n**When not to use it?**\n\nSimilar to [MD5](https://github.com/AliN11/php-security-functions#md5), it is not recommended to use SHA1 to secure passwords.\n\n\n\n\u003cbr\u003e\n\n\n\n## SHA2 Family\n\n**What is it?**\n\nSHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions. The SHA-2 family consists of six hash functions that are 224, 256, 384 or 512 bits:\n\n SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. [🔗](https://en.wikipedia.org/wiki/SHA-2)\n\nThey are **one-way** cryptographic function that accept a message of **any length** as input and return as output a **fixed-length** digest value.\n\n\n\n\u003cbr\u003e\n\n\n\n| Function    | Output Length (Bits) |\n| ----------- | -------------------- |\n| SHA-224     | 224                  |\n| SHA-256     | 256                  |\n| SHA-384     | 384                  |\n| SHA-512     | 512                  |\n| SHA-512/224 | 224                  |\n| SHA-512/256 | 256                  |\n\n\n\n\u003cbr\u003e\n\n\n\n**How to use it?**\n\nYou can use them by php `hash` function:\n\n```php\n hash ( string $algorithm , string $data [, bool $raw_output = FALSE ] ) : string\n     \n // $algorithm may be: sha224, sha256, sha384, sha512, sha512/224, sha512/256\n // or other $algorithms that exists in hash_algos() function\n```\n\n\n\n\u003cbr\u003e\n\n\n\n**When to use it?**\n\nThey are general purpose hash functions. They are good only for non-security cases, e.g. generating random string for file names. \n\n\n\n\u003cbr\u003e\n\n\n\n**When not to use it?**\n\nSimilar to SHA1 and MD5, you should not use them for security cases such as hashing sensitive data. \n\n\u003e General-purpose hashes have been obsolete for passwords for over a decade. The issue is that they're fast, and passwords have low entropy, meaning brute-force is very easy with any general-purpose hash. You need to use a function which is deliberately slow, like PBKDF2, bcrypt, or scrypt.  [🔗](https://security.stackexchange.com/a/90065/102970)\n\n\n\u003cbr\u003e\n\n\n## Bcrypt\n\n**What is it?**\n\nBcrypt is a password hashing function. Bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. [🔗](https://en.wikipedia.org/wiki/Bcrypt)\n\nAlert: When using bcrypt you should be aware that it limits your maximum password length to 50-72 bytes.\n\n\n\n\u003cbr\u003e\n\n\n\n**How to use it?**\n\n```php\n$options = [\n    'cost' =\u003e 12,\n];\n\npassword_hash(\"password\", PASSWORD_BCRYPT, $options);\n```\n\nThis will always result in a hash using the `$2y$` crypt format, which is always 60 characters wide. `cost` parameter is used here to define how many iteration over the password should be performed. Higher cost, higher security, higher execution time.\n\nAs [php.net](https://www.php.net/manual/en/function.password-hash.php) says:\n\nIt is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one. Providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.   \n\nIt is recommended that you test this function on your servers, and adjust the cost parameter \nso that execution of the function takes less than 100 milliseconds on interactive systems. See example #3 in the above link.\n\n\n\n\u003cbr\u003e\n\n\n\n**When to use it?**\n\nWhen security matters. When you would have uncrackable passwords.\n\n\n\n\u003cbr\u003e\n\n\n\n**When not to use it?**\n\nBcrypt takes time and resources to generate (in comparison to MD5, SHA1, etc.). You can simply see the performance of generating Bcrypt vs SHA1 in a `for` loop. So if you would hash a string in which security doesn't matter, do not use Bcrypt. Use fast hashing algorithms.\n\n\n\n\u003cbr\u003e\n\n\n\n## Argon2\n\n**What is it?**\n\nArgon2 is a password-hashing function that can be used to hash passwords for credential storage, key derivation, or other applications.\n\nArgon2 has three variants: Argon2i, Argon2d, and Argon2id.\n\nArgon2d is faster and uses data-depending memory access, which makes it highly resistant against GPU cracking attacks and suitable for applications with no threats from side-channel timing attacks (eg. cryptocurrencies). \n\nArgon2i uses data-independent memory access, which is preferred for password hashing and password-based key derivation, but it is slower as it makes more passes over the memory to protect from tradeoff attacks\n\nArgon2id is a hybrid of Argon2i and Argon2d, using a combination of data-depending and data-independent memory accesses, which gives some of Argon2i's resistance to side-channel cache timing attacks and much of Argon2d's resistance to GPU cracking attacks.  [🔗](https://github.com/p-h-c/phc-winner-argon2)\n\n\n\n\u003cbr\u003e\n\n\n\n**How to use it?**\n\n```php\n$options = ['memory_cost' =\u003e 2048, 'time_cost' =\u003e 4, 'threads' =\u003e 3];\n\n// PHP 7.2.0+\npassword_hash(\"password\", PASSWORD_ARGON2I, $options); // $argon2i$v=19$m=2048,t=4,p=3$dVBCdG9qbTdkN3dvSnpIcw$wXTxsa/LKAJGwk3+ZWXgfEx66Vs4R0JAMm7i3PNJ2wg\n\n\n// PHP 7.3.0+\npassword_hash(\"password\", PASSWORD_ARGON2ID, $options); // $argon2id$v=19$m=2048,t=4,p=3$aERwOTFDY2lPNUJZRDBoYw$VI2gLlJLzQZD3r9tYGszvN6uj2PZVuUv6Ukp7gcJ+dw\n```\n\n- `memory_cost` - Maximum memory (in bytes) that may be used to compute the Argon2 hash (default 1024)\n- `time_cost` - Maximum amount of time it may take to compute the Argon2 hash (default 2)\n- `threads` - Number of threads to use for computing the Argon2 hash (default 2)\n\n\u003cbr\u003e\n\n\n\n**When to use it?**\n\nArgon2i uses data-independent memory access. It is slow because it makes more passes over the memory to protect from trade off attacks. It is highly recommended for password hashing and password-based key derivation.\n\n\n\n\u003cbr\u003e\n\n\n\n**When not to use it?**\n\nAs I described in [Bcrypt](https://github.com/AliN11/php-security-functions#bcrypt) section, if you would hash something in which security doesn't matter, do not use Argon2. Use fast hashing algorithms instead.\n\n\n\n\u003cbr\u003e\n\n\n\n*Other functions coming soon ...*\n\n\n\nResources:\n\nhttps://stackoverflow.com/a/47602045/3578287\n\nhttps://github.com/p-h-c/phc-winner-argon2\n\nhttps://searchsecurity.techtarget.com/definition/MD5\n\nhttp://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash\n\nhttps://stackoverflow.com/questions/2640566/why-use-sha1-for-hashing-secrets-when-sha-512-is-more-secure\n\nhttps://en.wikipedia.org/wiki/SHA-2\n\nhttps://www.mscharhag.com/software-development/bcrypt-maximum-password-length\n\nhttps://security.stackexchange.com/questions/39849/does-bcrypt-have-a-maximum-password-length\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falin11%2Fphp-security-functions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falin11%2Fphp-security-functions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falin11%2Fphp-security-functions/lists"}