Would the Internals team be open to discussing mitigating HashDoS in a future version of PHP? i.e. everywhere, even for json_decode() and friends, by fixing the problem rather than capping the maximum number of input parameters and hoping it's good enough.
I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/ (Look at all the other languages that already adopted SipHash.) https://medium.freecodecamp.com/hash-table-attack-8e4371fc5261#.s5r5j42x3 Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
