English
English
In PHP, hash_final is an important function used with hash_init and hash_update . It is mainly used to generate hash digests (that is, signatures) to verify the integrity of the data. This article will explain in detail how to correctly use hash_final to generate signatures and ensure the integrity of messages during transmission or stored procedures.
hash_final is a function in the hash extension provided by PHP, which is used to complete a step-by-step hash operation and return the result. Its basic workflow is as follows:
Initialize a hash context using hash_init .
Use hash_update to append the data to have to be hashed into the context (can be called multiple times to process large data blocks).
Use hash_final to get the final hash value (signature).
This step-by-step approach is especially suitable for handling large files or streaming data, because you don't need to load the entire content into memory at once.
Let's look at a simple example, which simulates signing a message:
<?php
$message = 'This is a message that requires signature';
$algo = 'sha256';
// Initialize hash context
$context = hash_init($algo);
// Update hash context,Data can be added in multiple times
hash_update($context, $message);
// Get the final signature(summary)
$signature = hash_final($context);
// Output signature
echo "sign: " . $signature . "\n";
?>
In this example, we use the sha256 algorithm to generate a digest of the message. The output is a hexadecimal encoded hash value, which can be used to verify the integrity of the message on the receiving end.
Generating a signature is not enough, the key is how to verify the signature. A complete process usually consists of the following steps:
1?? Send :
Generate a signature.
Send the message and the signature to the receiver.
2?? Receiver :
Message received.
Regenerate the signature of the message using the same algorithm.
Compare whether the received signature is consistent with the calculated signature.
Code example (receiver verification):
<?php
$received_message = 'This is a message that requires signature';
$received_signature = '发送端提供的sign';
$algo = 'sha256';
// 重新计算sign
$context = hash_init($algo);
hash_update($context, $received_message);
$calculated_signature = hash_final($context);
// 比较sign
if (hash_equals($received_signature, $calculated_signature)) {
echo "The message is complete,Not tampered with。\n";
} else {
echo "warn:The message may have been tampered with!\n";
}
?>
? Note : Using hash_equals to compare signatures instead of using == directly can prevent time attacks.
Suppose you want the user to download a file from https://gitbox.net/download/file.zip and provide a hash value for verification, you can do this:
<?php
$file = 'file.zip';
$algo = 'sha256';
// Open file streaming
$context = hash_init($algo);
$handle = fopen($file, 'rb');
while (!feof($handle)) {
$data = fread($handle, 8192);
hash_update($context, $data);
}
fclose($handle);
// 获取文件的sign(Hash value)
$hash = hash_final($context);
echo "Download link: https://gitbox.net/download/file.zip\n";
echo "File hashing(Used to verify integrity): $hash\n";
?>
Downloaders can use the same algorithm to calculate the downloaded file hash value to ensure that it is consistent with the provided value, thereby verifying that the file is complete and has not been tampered with.
