PHP 8.1: mhash*() functions (hash extension) are deprecated


Prior to PHP 5.3, there was an extension called mhash, which provided various mhash*() functions to compute hash values. The mhash extension was made obsolete by the hash extension. From PHP 5.3, it was possible to bring mhash*() functions to the hash extension with a PHP configure option --enable-mhash.

Since PHP 7.4, the hash extension is made a bundled extension, which means it is no longer possible to compile PHP without the hash extension. It continued support the --enable-mhash option for compatibility reasons.

From PHP 8.1 and later, using mhash*() functions emit a deprecation notice, and they will be removed in PHP 9.0.

Affected Functions

All mhash*() functions are affected.

  • mhash
  • mhash_​count
  • mhash_​get_​block_​size
  • mhash_​get_​hash_​name
  • mhash_​keygen_​s2k

Attempting to use any of the functions above emit a PHP deprecation notice from PHP 8.1 and later:

Deprecated: Function mhash() is deprecated in ... on line...

mhash constants

Note that using the PHP constants declared for mhash*() function family do not emit deprecation notices, but they will be removed in PHP 9.0 as well.

mhash constant Assigned value string value for hash()
MHASH_CRC32 0 crc32
MHASH_CRC32B 9 crc32b
MHASH_HAVAL128 13 haval128,3
MHASH_HAVAL160 12 haval160,3
MHASH_HAVAL192 11 haval192,3
MHASH_HAVAL224 10 haval224,3
MHASH_HAVAL256 3 haval256,3
MHASH_MD4 16 md4
MHASH_MD5 1 md5
MHASH_RIPEMD160 5 ripemd160
MHASH_SHA1 2 sha
MHASH_SHA256 17 sha256
MHASH_TIGER 7 tiger192,3
MHASH_TIGER128 14 tiger128,3
MHASH_TIGER160 15 tiger160,3

Suggested Alternative

hash extension, a bundled PHP extension since PHP 7.4 and provides the same functionality with hash*() family of functions.

In mhash*() line of functions, the hash algorithm is set as a PHP constant. In hash() functions, the algorithm is accepted as string value. Refer to the mhash constants for replacement values.

Calculating a hash

- $hash = mhash(MHASH_SHA1, 'test');
+ $hash = hash('sha1', 'test', true); 

hash function accepts a string value for the algorithm name (sha1 in the example), as opposed to a constant in mhash. Further, hash function returns the computed hash value as a hex value by default, unless the third parameter of the hash function is set to true.

Calculating an HMAC

Computing an HMAC (Hash-based Message Authentication Code) is can be done with the same mhash function with mhash*() family, but there a separate hash_hmac function.

- $hmac = mhash(MHASH_SHA1, 'test', 'secret-key');
+ $hmac = hash_hmac('sha1', 'test', 'secret-key', true);

Backwards Compatibility Impact

Existing calls to mhash*() continue to work in PHP 8.1 and later, but PHP emits a deprecation notice.

mhash*() family of functions, along with the mhash constants will be removed in PHP 9.0.

RFC Implementation