이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/weak-hash-algorithm

Language: PHP

Severity: Error

Category: Security

CWE: 1240

Description

This rule is set to prevent the use of outdated or weak cryptographic hash functions in your PHP code. Hash functions are a crucial part of many data security operations, including password storage and data integrity checks. However, not all hash functions offer the same level of security.

Weak hash algorithms, such as MD5 or SHA1, are vulnerable to various types of attacks, including collision attacks and preimage attacks. This can potentially lead to unauthorized access to sensitive data, data corruption, or other security breaches.

To adhere to this rule and maintain high levels of security in your PHP applications, it’s recommended to use strong, up-to-date hash functions. PHP offers the password_hash() function, which uses a strong hash algorithm (bcrypt by default) and automatically handles the creation of salt values. Alternatively, you can use the hash() function with a strong algorithm such as SHA256 or SHA3.

Non-Compliant Code Examples

<?php
$hash = md5($data);
$hash = sha1($data);
$hash = hash('md4', $data);
$hash = hash("md4", $data);
$hash = hash('md2', $data);
$hash = hash('haval128,3', $data);
$hash = hash('haval128,4', $data);
$hash = hash('haval128,5', $data);
$hash = hash('ripemd128', $data);
$hash = hash('ripemd160', $data);

Compliant Code Examples

<?php
$hash = hash('sha256', $data); // Secure
$hash = hash('sha512', $data); // Secure
$hash = hash('sha3-256', $data); // Secure
$hash = hash('sha3-512', $data); // Secure