PHP in a Nutshell by Paul Hudson

Synopsis

    string sha1 ( string str [, bool raw_output] )

SHA stands for the "Secure Hash Algorithm," and it is a way of converting a string of any size into a 40-bit hexadecimal number that can be used for verification. Checksums are like unidirectional (one-way) encryption designed to check the accuracy of input. By unidirectional, I mean that you cannot run $hash = sha1($somestring), then somehow decrypt $hash to get $somestring—it is just not possible, because a checksum does not contain its original text.

Checksums are a helpful way of storing private data. For example, how do you check whether a password is correct?

    if ($password =  = "Frosties") {
            // ........
    }

While that solution works, it means that whoever reads your source code gets your password. Similarly, if you store all your users' passwords in your database and someone cracks it, you will look bad. If you have the passwords of people on your database, or in your files, then malicious users will not be able to retrieve the original password.

The downside of that is that authorized users will not be able to get at the passwords either—whether or not that is a good thing varies from case to case, but usually having checksummed passwords is worthwhile. People who forget their password must simply reset it to a new password as opposed to retrieving it.

Checksumming is also commonly used to check whether files have downloaded properly—if your checksum is equal to the correct checksum value, then you have downloaded ...