PHP 8.1: mhash*() functions (hash extension) are deprecated
Prior to PHP 5.3, there was an extension called mhash, which provided various mhash*() functions to compute hash values. The mhash extension was made obsolete by the hash extension. From PHP 5.3, it was possible to bring mhash*() functions to the hash extension with a PHP configure option --enable-mhash.
Since PHP 7.4, the hash extension is made a bundled extension, which means it is no longer possible to compile PHP without the hash extension. It continued support the --enable-mhash option for compatibility reasons.
From PHP 8.1 and later, using mhash*() functions emit a deprecation notice, and they will be removed in PHP 9.0.
Affected Functions
All mhash*() functions are affected.
mhashmhash_countmhash_get_block_sizemhash_get_hash_namemhash_keygen_s2k
Attempting to use any of the functions above emit a PHP deprecation notice from PHP 8.1 and later:
Deprecated: Function mhash() is deprecated in ... on line...mhash constants
Note that using the PHP constants declared for mhash*() function family do not emit deprecation notices, but they will be removed in PHP 9.0 as well.
mhash constant |
Assigned value | string value for hash() |
|---|---|---|
MHASH_CRC32 |
0 |
crc32 |
MHASH_CRC32B |
9 |
crc32b |
MHASH_GOST |
8 |
gost |
MHASH_HAVAL128 |
13 |
haval128,3 |
MHASH_HAVAL160 |
12 |
haval160,3 |
MHASH_HAVAL192 |
11 |
haval192,3 |
MHASH_HAVAL224 |
10 |
haval224,3 |
MHASH_HAVAL256 |
3 |
haval256,3 |
MHASH_MD4 |
16 |
md4 |
MHASH_MD5 |
1 |
md5 |
MHASH_RIPEMD160 |
5 |
ripemd160 |
MHASH_SHA1 |
2 |
sha |
MHASH_SHA256 |
17 |
sha256 |
MHASH_TIGER |
7 |
tiger192,3 |
MHASH_TIGER128 |
14 |
tiger128,3 |
MHASH_TIGER160 |
15 |
tiger160,3 |
Suggested Alternative
hash extension, a bundled PHP extension since PHP 7.4 and provides the same functionality with hash*() family of functions.
In mhash*() line of functions, the hash algorithm is set as a PHP constant. In hash() functions, the algorithm is accepted as string value. Refer to the mhash constants for replacement values.
Calculating a hash
- $hash = mhash(MHASH_SHA1, 'test');
+ $hash = hash('sha1', 'test', true); hash function accepts a string value for the algorithm name (sha1 in the example), as opposed to a constant in mhash. Further, hash function returns the computed hash value as a hex value by default, unless the third parameter of the hash function is set to true.
Calculating an HMAC
Computing an HMAC (Hash-based Message Authentication Code) is can be done with the same mhash function with mhash*() family, but there a separate hash_hmac function.
- $hmac = mhash(MHASH_SHA1, 'test', 'secret-key');
+ $hmac = hash_hmac('sha1', 'test', 'secret-key', true);Backwards Compatibility Impact
Existing calls to mhash*() continue to work in PHP 8.1 and later, but PHP emits a deprecation notice.
mhash*() family of functions, along with the mhash constants will be removed in PHP 9.0.