Do not use a weak hash algorithm
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
ID: php-security/weak-hash-algorithm
Language: PHP
Severity: Error
Category: Security
CWE: 1240
Description
This rule is set to prevent the use of outdated or weak cryptographic hash functions in your PHP code. Hash functions are a crucial part of many data security operations, including password storage and data integrity checks. However, not all hash functions offer the same level of security.
Weak hash algorithms, such as MD5 or SHA1, are vulnerable to various types of attacks, including collision attacks and preimage attacks. This can potentially lead to unauthorized access to sensitive data, data corruption, or other security breaches.
To adhere to this rule and maintain high levels of security in your PHP applications, it’s recommended to use strong, up-to-date hash functions. PHP offers the password_hash()
function, which uses a strong hash algorithm (bcrypt by default) and automatically handles the creation of salt values. Alternatively, you can use the hash()
function with a strong algorithm such as SHA256 or SHA3.
Non-Compliant Code Examples
<?php
$hash = md5($data);
$hash = sha1($data);
$hash = hash('md4', $data);
$hash = hash("md4", $data);
$hash = hash('md2', $data);
$hash = hash('haval128,3', $data);
$hash = hash('haval128,4', $data);
$hash = hash('haval128,5', $data);
$hash = hash('ripemd128', $data);
$hash = hash('ripemd160', $data);
Compliant Code Examples
<?php
$hash = hash('sha256', $data); // Secure
$hash = hash('sha512', $data); // Secure
$hash = hash('sha3-256', $data); // Secure
$hash = hash('sha3-512', $data); // Secure