On Friday, 26 July 2024 at 08:09, Peter Stalman <sarke...@gmail.com> wrote:
> On Thu, Jul 25, 2024 at 11:35 PM Peter Stalman <sarke...@gmail.com> wrote: > >> If their learning insticast > > *instincts. > > I should also clarify, I'm not against deprecations in general. However, the > benefits should outweigh the costs. If something is getting unmaintainable, > no longer supported, inherently insecure etc, those are all good reasons. > `password_hash` as mentioned was a great addition, and should/did solve this > very issue. Even someone reading a blog tutorial from 11 years ago would be > able to see this used properly. > > But md5/sha1 are not bad functions, they do *exactly* what they say on the > box. Being able to do the exact same thing by spelling the function slightly > differently isn't even deprecating them, just deprecating an alias. They're > only *bad* if used in a *bad way*, and that to me is not enough of a reason. Stephen Rees-Carter, a security expert that has performed countless security audits on Wordpress and Laravel websites, would like to disagree with the fact that it is not enough of a good reason. [1] A warning on a documentation page is useless, as nobody is forced to read it. Yet again the PHP community doesn't care about security of its users, current and future, and just prefers the convenience of needing to type less characters and not go back fix some code for better design. I am not sure why I was expecting something else, but I guess I am just disappointed. I suppose we are truly becoming Oracle. Sincerely, Gina P. Banyard [1] https://x.com/valorin/status/1816593881791860963
