SHA256 Hashing is far more secure than the often-used MD5 hash, however PHP 4 doesn't offer built-in support. This script allows SHA 256 in PHP 4.x and uses PHP 5.x's built in function instead when available.
Since the notification of PHP 4 support coming to a close,
Nanolink Solutions has decided to release this utility to the public domain.
This script was developed for PHP and tested in PHP 4.x and 5.x
environments. It will produce the same results as
NIST's standard for
the SHA256 Secure Hash Algorithm as defined in FIPS180-2.
As PHP 4 will no longer have futher development, this script may be useful for some hosts that are reluctant to upgrade for various reasons.
It works with PHP 4.x and 5.x, using PHP 5.x's built in functions when available to ensure maximum speed. As long as your scripts call the included sha256() routine, it will check if the newer PHP5 hash() routine is available. If the hash() routine is available, it will pass your string to that and skip the PHP hashing routine. This will dramatically increase performance.
Some sporadic versions of PHP do not handle integer overflows the same as the majority of builds. If you get hash results of: 7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff If you do not have permissions to change PHP versions (if you did you'd probably upgrade to PHP 5 anyway) it is advised you install a module that will allow you to use their hashing routines, examples are: - mhash module : http://ca3.php.net/mhash - Suhosin : http://www.hardened-php.net/suhosin/ If you install the Suhosin module, this script will transparently use their routine and define the PHP routine as _nano_sha256(). If the mhash module is present, and $ignore_php5_hash = false the script will attempt to use the output from mhash prior to running the PHP code.
2009-07-23: Tested on various 64bit and 32bit platforms, consolidated most code into a single object. Added functionality for users to define _NANO_SHA2_UPPER to produce uppercase hash results. Included a 32-bit cropping patch to ensure data integrity when using either 4 or 8 byte integers.
magic_quotes issues: If you are getting occasional hash mismatches, ensure your php's installation has magic_quotes_gpc = off. This setting will cause GET/POST/Cookie values to be escaped regardless of set_magic_quotes_runtime(). If your system does not allow for custom php.ini's, or will not change their settings, it is advised to use the get_magic_quotes_gpc() method to determine if you need to add a stripslashes() to your GET/POST/COOKIE elements.