Use of hash functions

Last updated on
20 September 2016

For Drupal 7 and later core and contributed modules, the md5() and sha1() hash functions should never be used in any code, since they are considered obsolete and potentially insecure for some applications. This is a settled policy for Drupal core. For a normal hash function use sha-256 by calling hash('sha256', $data).

Even if the use of such functions are not for security purposes, any use of them at all can cause third party security audits of the codebase to raise flags. This can be a problem if, for example, Government entities require such audits - which would then require additional documentation to verify that they are indeed, not a security issue.

Drupal 7

Drupal 7 presents wrapper functions to get shorter, base-64 encoded hashes to use in URLs, etc. See:

Drupal 8

For Drupal 8 these have been moved to a utility class:

Background information

Any time you need to authenticate the content of a string or file by combining a secret key (e.g. a session ID) with the string, you should avoid using a single hash function which may be vulnerable to string-extension attacks. The preferred approach is to calculate a Hash-based Message Authentication Code (HMAC) using hash functions or relying on PHP's hash extension for PHP 5. An acceptable (but less preferred) alternative is to apply the hash function twice.

An example using PHP's hash library

  $hmac = hash_hmac('sha256', $data, $secret_key);

An example using Drupal 7's hmac function:

  $hmac = drupal_hmac_base64($data, $secret_key);

An example of double hashing in Drupal 6 is:

  $hash = sha1(sha1($secret_key . $data));

Drupal 5 and Drupal 6 core use the md5() for many purposes. While a collision or attack on this hash function is still unlikely, when writing a contributed module for Drupal 5 or 6, it is still preferable to use the sha1() hash function in place of md5().

For a full discussion of the motivation for the change for Drupal 7, see #723802: convert to sha-256 and hmac from md5 and sha1.