Use of hash functions
For Drupal 7 and later core and contributed modules, the
sha1() hash functions should never be used in any code, since they are considered obsolete and potentially insecure for some applications. This is a settled policy for Drupal core. For a normal hash function use sha-256 by calling
Even if the use of such functions are not for security purposes, any use of them at all can cause third party security audits of the codebase to raise flags. This can be a problem if, for example, Government entities require such audits - which would then require additional documentation to verify that they are indeed, not a security issue.
Drupal 7 presents wrapper functions to get shorter, base-64 encoded hashes to use in URLs, etc. See:
For Drupal 8 these have been moved to a utility class:
Any time you need to authenticate the content of a string or file by combining a secret key (e.g. a session ID) with the string, you should avoid using a single hash function which may be vulnerable to string-extension attacks. The preferred approach is to calculate a Hash-based Message Authentication Code (HMAC) using hash functions or relying on PHP's
hash extension for PHP 5. An acceptable (but less preferred) alternative is to apply the hash function twice.
An example using PHP's hash library
$hmac = hash_hmac('sha256', $data, $secret_key);
An example using Drupal 7's hmac function:
$hmac = drupal_hmac_base64($data, $secret_key);
An example of double hashing in Drupal 6 is:
$hash = sha1(sha1($secret_key . $data));
Drupal 5 and Drupal 6 core use the
md5() for many purposes. While a collision or attack on this hash function is still unlikely, when writing a contributed module for Drupal 5 or 6, it is still preferable to use the
sha1() hash function in place of
For a full discussion of the motivation for the change for Drupal 7, see.