Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124597 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 7229C1A00B7 for ; Thu, 25 Jul 2024 22:44:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721947575; bh=yG3tmz40HmCcWmvBiyjivvE0kR3IMRZZIrmX2AI5i1w=; h=Subject:To:References:From:Date:In-Reply-To:From; b=icLXP3HUz25NXK8Eaap6whGDkiXwmy6zDW3DAjljQbZJV5WO+zS4aCLsuTFrNWM7N mrDc4hVeRputLKJzaGxRLBKk5bVMAstii0lv7X3rTRSuoEZ51b/l6OiDKKTvD4fgvK pP1b3YdDYCJy7/5T4qndP5H/m9P3WslEpo9Fjh9Zw8IteG5zWEZYWby94gyy+vMbs7 aJlOcmYvJ0DjQSe9LxB9vkx/SxIrTCCxKT1IkFSZuHy+KBsbU1JJSIOx1X3Wb2kwy0 t29qaHUTe83aw0vKrto/6KougpHEjD1VSs/QYRTOHJCLSUP0LeaUQtHpAFUYhsxbPu Xpz387m/o83kg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id F2815180056 for ; Thu, 25 Jul 2024 22:46:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: ** X-Spam-Status: No, score=2.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_50, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING, HTML_MESSAGE,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from egyptian.ash.relay.mailchannels.net (egyptian.ash.relay.mailchannels.net [23.83.222.56]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 25 Jul 2024 22:46:13 +0000 (UTC) X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0837D850B3 for ; Thu, 25 Jul 2024 22:44:37 +0000 (UTC) Received: from nl1-ss105.a2hosting.com (unknown [127.0.0.6]) (Authenticated sender: a2hosting) by relay.mailchannels.net (Postfix) with ESMTPA id 87D1D854BE for ; Thu, 25 Jul 2024 22:44:35 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1721947475; a=rsa-sha256; cv=none; b=Vha7J4Fz9oVnHm34MKYem4RBf3hNGAIaazWxgtKTV8OcLTF96h6K4XuB2WYOnA0DGghSk/ G/tSEUyjdyjMQfgS+SHd/LNkwbXvNfZAfdl5oCOEorsXLKFOp39m2n+rvHdPeZo18jg7sd QCd9nrVhZQTFdf/gIktWpX36QNCkkRM83HFF5HucJjrs1TpHOtWDg67+xv28zbl/+tHCDu OPmUvN+8tBTg27rAOEGXR/iQU8Iq5hgmJLMQmUa3nJaaF6SpAjau0fkJ3gzcXuEKR4iKyG mFyQ7I8OLLbUR4e+L2xyeVfvzZSVyWhKmumFeD4yTt+DhM0rrBiXGT+9QTebAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1721947475; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=42pl7/iZuhzkdYGc1JlMAVeOVprdP9g23GQlvDER5Ho=; b=jKqvnHYMhHw15RJ69U5HW0t8Ryst7PCNRgCW8xIdXthkZ+d1c+mkLmmfTtyYtRWGdM/kR2 TTlda7gOLz6B6bqj6SNLuw/lRgB9sCbwTqDdnvGVNYH1gA2uIjVzLRkljqXfHA4y5cBexQ hE0wbklHePZyKqjYMkPjDICg2hsEZBVZ1jsOzcIvPNSptTTjEo+4D+1qcUD4m1dcDpfFq8 ymz3ptjoSZ+zWLewbasVT2W53fr3cLjO0zUezeZYCthGpxBI7A3/Uj+4KbbunJqML3h0DC o/KlRucxjBj90q0giffi1XstLmdV893GRFXALColR56srudIgTInV205CuC2aA== ARC-Authentication-Results: i=1; rspamd-7f77fccf7d-2j4ms; auth=pass smtp.auth=a2hosting smtp.mailfrom=php-internals_nospam@adviesenzo.nl X-Sender-Id: a2hosting|x-authuser|juliette@adviesenzo.nl X-MC-Relay: Neutral X-MailChannels-SenderId: a2hosting|x-authuser|juliette@adviesenzo.nl X-MailChannels-Auth-Id: a2hosting X-Juvenile-Madly: 05ae437c7792ffdf_1721947476178_467636384 X-MC-Loop-Signature: 1721947476178:376668341 X-MC-Ingress-Time: 1721947476178 Received: from nl1-ss105.a2hosting.com (nl1-ss105.a2hosting.com [85.187.142.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.104.180.76 (trex/7.0.2); Thu, 25 Jul 2024 22:44:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=adviesenzo.nl; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=42pl7/iZuhzkdYGc1JlMAVeOVprdP9g23GQlvDER5Ho=; b=pvmRlslkt2AkaegdiX30e3m0w9 3mspWiufoA7sLyN1LnpukaIFB5UVCmokPFAPheD0oxl4h3YXOSWPCskUPuPP5k4lr/ZqiH+ohR88p Wg4kulJ4P/3sxuOrtilGSecqu9EYLM1fOQ35yjCgm5UIzDPyynXU6PQvRqQY9Dvyvcjk=; Received: from mailnull by nl1-ss105.a2hosting.com with spam-scanner (Exim 4.97.1) (envelope-from ) id 1sX7CL-00000002mwz-1pRn for internals@lists.php.net; Fri, 26 Jul 2024 00:44:33 +0200 X-ImunifyEmail-Filter-Info: UkNWRF9WSUFfU01UUF9BVVRIIFJDVkRfVExTX0FMTCBWRVJJ TE9DS19 DQiBSQ1ZEX0NPVU5UX09ORSBCQVlFU19IQU0gTUlNRV9VTktOT1dOIE 1JRF9SSFNfTUFUQ0hfRlJPTSBBUkNfTkEgSUVfVkxfUEJMX0FDQ09VT lRfMDUgTUlNRV9UUkFDRSBGUk9NX0VRX0VOVkZST00gX0NSWVBUT19N TV9DUllQVE8gRlJPTV9IQVNfRE4gVE9fRE5fTk9ORSBSQ1BUX0NPVU5 UX09ORSBJRV9WTF9QQkxfQUNDT1VOVF8wMSBUT19NQVRDSF9FTlZSQ1 BUX0FMTCBfRFJVR1NfTU1fRElTQ09VTlQgQVNO X-ImunifyEmail-Filter-Action: no action X-ImunifyEmail-Filter-Score: 1.32 X-ImunifyEmail-Filter-Version: 3.5.16/202407241342 Received: from [31.201.40.213] (port=54332 helo=[192.168.1.16]) by nl1-ss105.a2hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97.1) (envelope-from ) id 1sX7CM-00000002mtM-2bAf for internals@lists.php.net; Fri, 26 Jul 2024 00:44:33 +0200 Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: internals@lists.php.net References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <9041cba85d6439682bb44fcb29210c944dbe3911.camel@ageofdream.com> Message-ID: <66A2D544.5060801@adviesenzo.nl> Date: Fri, 26 Jul 2024 00:44:20 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 In-Reply-To: <9041cba85d6439682bb44fcb29210c944dbe3911.camel@ageofdream.com> Content-Type: multipart/alternative; boundary="------------050208030204020608000304" X-AuthUser: juliette@adviesenzo.nl From: php-internals_nospam@adviesenzo.nl (Juliette Reinders Folmer) This is a multi-part message in MIME format. --------------050208030204020608000304 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit On 26-7-2024 0:00, Nick Lockheart wrote: > > That's a good point. What if there were crypto functions that worked > like password_hash() in that they had one generic function name, but > magically used the new/better "best practice" algorithms as time went > by without the need to update any calling code? > > Maybe there should be three generic-named functions: > > fast_hash() // not secure, makes UIDs quickly > secure_hash() // uses best practice one-way hash algo > secure_crypt() // uses best practice reversible encryption. While I like the idea, this sounds like a huge nightmare in the waiting when data is stored somewhere and later compared. Example: * Let's say these functions get introduced in PHP 8.5. * `secure_hash()` is used in an application running on PHP 8.5 to secure some data before storing it in a database. This data is used in comparisons - stored vs user provided. * Now in PHP 9.1, the hash algorithm is changed. * The production environment gets updated to PHP 9.1 and suddenly the application breaks as the data verification will no longer work as the new algo is used on the user provided data, but the database stored version of the same data was created with the old algo.... --------------050208030204020608000304 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit
On 26-7-2024 0:00, Nick Lockheart wrote:

That's a good point. What if there were crypto functions that worked
like password_hash() in that they had one generic function name, but
magically used the new/better "best practice" algorithms as time went
by without the need to update any calling code?

Maybe there should be three generic-named functions:

fast_hash() // not secure, makes UIDs quickly
secure_hash() // uses best practice one-way hash algo
secure_crypt() // uses best practice reversible encryption.

While I like the idea, this sounds like a huge nightmare in the waiting when data is stored somewhere and later compared.

Example:
* Let's say these functions get introduced in PHP 8.5.
* `secure_hash()` is used in an application running on PHP 8.5 to secure some data before storing it in a database. This data is used in comparisons - stored vs user provided.
* Now in PHP 9.1, the hash algorithm is changed.
* The production environment gets updated to PHP 9.1 and suddenly the application breaks as the data verification will no longer work as the new algo is used on the user provided data, but the database stored version of the same data was created with the old algo....

--------------050208030204020608000304--