Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:124598 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id C9CEB1A00B7 for ; Thu, 25 Jul 2024 22:54:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1721948190; bh=hYtrQ+OraOV0tCC8OX8dDUbFElUTCyY5/UqOs99jqbY=; h=Subject:From:To:Date:In-Reply-To:References:From; b=UcY1sui1tCBYMLYBHtYtF8nG/7GHNWvcKJpsF9uEG5Jd0t40b/zmhfBhwgOZAxdg2 57vrMCzfpVclI8CXfgZW4tOCsYlJpJGWD7BnIv4EQ8lafPRw55H31RqMKG1a4SCaYI c1pPPkPO2r9OxTinFCBw17HhV+eCr5aojK9rmzcaSalhxQ+Qgwe1209i6GQtj0R3lc pAUq0Em1cWEAd2DHEqFPV7eb8sh9eN/CRLkFqMhUX3DmJydX7qTbRWH9zpOour6ZNI V3gWIlNVGC/OooT2ZOS7MCrjytNcWfhU+f4g2oc0tXQiFFYPzSgzh9O0/8OjDyRvJr tJ4AthhBoPFJQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 12A23180077 for ; Thu, 25 Jul 2024 22:56:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from ageofdream.com (ageofdream.com [45.33.21.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 25 Jul 2024 22:56:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ageofdream.com; s=ageofdream; t=1721948093; bh=hYtrQ+OraOV0tCC8OX8dDUbFElUTCyY5/UqOs99jqbY=; h=Subject:From:To:Date:In-Reply-To:References:From; b=LJYTe+Ge1JRMcusq1JNVAHQnSBOjE4zx2hBXAnnVopSR03JVgcmbRaJ9Vqem74mpE yyGcmewIlesg1T59EnGdhyJ/VtLD2O3Y1g5mKhEyyYV7aEok0qaf2fJX2oj4j/HV2i Mr4ALBHdyWE5p+CU/hnpjefPauZ6wS7dJFA9RwN3xV7AsIuXAt55/3sgKUkv2UgDpb GdCBn0tsXIpcsid3B0qVEltb9TF6th8nSMk3H6257RCE34T8BX/jHcZ7z7D+w24w9U wF9Blyusr+5a4zxZyl6j/4lHo2FV/s/RqSW8X/uo+K8GMeYVbGcacCBJutkRWtgnC2 5YxueijGWS82g== Received: from [192.168.1.7] (231.subnet-69-85-112.ellijay.com [69.85.112.231]) by ageofdream.com (Postfix) with ESMTPSA id 9604F27991 for ; Thu, 25 Jul 2024 18:54:53 -0400 (EDT) Message-ID: Subject: Re: [PHP-DEV] [RFC] [VOTE] Deprecations for PHP 8.4 To: internals@lists.php.net Date: Thu, 25 Jul 2024 18:54:53 -0400 In-Reply-To: <66A2D544.5060801@adviesenzo.nl> References: <1a88918e-e808-d778-45e1-53797660e093@php.net> <9041cba85d6439682bb44fcb29210c944dbe3911.camel@ageofdream.com> <66A2D544.5060801@adviesenzo.nl> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 From: lists@ageofdream.com (Nick Lockheart) On Fri, 2024-07-26 at 00:44 +0200, Juliette Reinders Folmer wrote: > On 26-7-2024 0:00, Nick Lockheart wrote: > =C2=A0 > >=20 > > That's a good point. What if there were crypto functions that > > worked > > like password_hash() in that they had one generic function name, > > but > > magically used the new/better "best practice" algorithms as time > > went > > by without the need to update any calling code? > >=20 > > Maybe there should be three generic-named functions: > >=20 > > fast_hash() // not secure, makes UIDs quickly > > secure_hash() // uses best practice one-way hash algo > > secure_crypt() // uses best practice reversible encryption. > =C2=A0 > =C2=A0While I like the idea, this sounds like a huge nightmare in the > waiting when data is stored somewhere and later compared. > =C2=A0 > =C2=A0Example: > =C2=A0* Let's say these functions get introduced in PHP 8.5. > =C2=A0* `secure_hash()` is used in an application running on PHP 8.5 to > secure some data before storing it in a database. This data is used > in comparisons - stored vs user provided. > =C2=A0* Now in PHP 9.1, the hash algorithm is changed. > =C2=A0* The production environment gets updated to PHP 9.1 and suddenly > the application breaks as the data verification will no longer work > as the new algo is used on the user provided data, but the database > stored version of the same data was created with the old algo.... > =C2=A0 Doesn't password_hash() handle this automatically? The result of the password_hash() function includes the hash and the algorithm used to hash it. That way password_verify() magically works with the string that came from password_hash().