Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.On this page
Use of hash functions
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
For Drupal 7 and later core and contributed modules, the md5() and sha1() hash functions should never be used in any code, since they are considered obsolete and potentially insecure for some applications. This is a settled policy for Drupal core. For a normal hash function use sha-256 by calling hash('sha256', $data).
Even if the use of such functions are not for security purposes, any use of them at all can cause third party security audits of the codebase to raise flags. This can be a problem if, for example, Government entities require such audits - which would then require additional documentation to verify that they are indeed, not a security issue.
Drupal 7
Drupal 7 presents wrapper functions to get shorter, base-64 encoded hashes to use in URLs, etc. See:
Drupal 8
For Drupal 8 these have been moved to a utility class:
\Drupal\Component\Utility\Crypt::hashBase64($data)\Drupal\Component\Utility\Crypt::hmacBase64($data, $key)
Background information
Any time you need to authenticate the content of a string or file by combining a secret key (e.g. a session ID) with the string, you should avoid using a single hash function which may be vulnerable to string-extension attacks. The preferred approach is to calculate a Hash-based Message Authentication Code (HMAC) using hash functions or relying on PHP's hash extension for PHP 5. An acceptable (but less preferred) alternative is to apply the hash function twice.
An example using PHP's hash library
$hmac = hash_hmac('sha256', $data, $secret_key);
An example using Drupal 7's hmac function:
$hmac = drupal_hmac_base64($data, $secret_key);
An example of double hashing in Drupal 6 is:
$hash = sha1(sha1($secret_key . $data));
Drupal 5 and Drupal 6 core use the md5() for many purposes. While a collision or attack on this hash function is still unlikely, when writing a contributed module for Drupal 5 or 6, it is still preferable to use the sha1() hash function in place of md5().
For a full discussion of the motivation for the change for Drupal 7, see #723802: convert to sha-256 and hmac from md5 and sha1.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
