Description
Converts a variable-length string to a fixed-length string that can act as a "fingerprint" or identifier for the original string. It is not possible to convert the hash result back to the source string.
Returns
A string.
Category
Conversion functions, Security functions, String functions
Function syntax
Hash(string [, algorithm [, encoding] [, iterations ]])
History
- ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14: Changed the default algorithm from CFMX_COMPAT to SHA-256.
- ColdFusion MX 7: Added the algorithm and encoding parameters.
- ColdFusion 10: Added the iterations argument.
Parameters
Parameter |
Description |
---|---|
string |
String to hash . |
algorithm |
(Optional) The algorithm to use to hash the string. ColdFusion installs a cryptography library with the following algorithms:
|
|
The Enterprise Edition of ColdFusion installs the RSA BSafe Crypto-J library, which provides FIPS-140 Compliant Strong Cryptography. It includes the following algorithms:
|
encoding |
(Optional; to use this attribute, also specify the algorithm parameter) A string specifying the encoding to use when converting the string to byte data used by the hash algorithm. Must be a character encoding name recognized by the Java runtime. The default value is the value specified by the defaultCharset entry in the neo-runtime. xml file, which is normally UTF-8. Ignored when using the CFMX_COMPAT algorithm. |
iterations |
(Optional) The number of times to iterate hashing, to increase hash computation time. CF10+. ColdFusion considers number of iterations after hashing the given value. Hence, this parameter is the number of iterations + 1. The default number of additional iterations is 0. |
Usage
The result of this function is useful for comparison and validation. For example, you can store the hash of a password in a database without exposing the password. You can check the validity of the password by hashing the entered password and comparing the result with the hashed password in the database. ColdFusion uses the Java Cryptography Extension (JCE) and installs a Sun Java runtime that includes the Sun JCE default security provider. This provider includes the algorithms listed in the Parameters section. The JCE framework includes facilities for using other provider implementations; however, Adobe cannot provide technical support for third-party security providers. The encoding attribute is normally not required. It provides a mechanism for generating identical hash values on systems with different default encodings. ColdFusion uses a default encoding of UTF-8 unless you modify the defaultCharset entry in the neo-runtime. xml file.
Example
The following example lets you enter a password and compares the hashed password with a hash value saved in the SecureData table of the cfdocexamples database. This table has the following entries:
User ID |
Password |
---|---|
blaw |
blaw |
dknob |
dknob |
<cfscript> // SHA-256 example writeOutput(hash("an important string", "SHA-256", "UTF-8")) // 4825D8AB22800A9BE09986366D6430CA8E704323E4470608AC303A9F1C05626F // SHA-512 example writeOutput(hash("an important string", "SHA-512", "UTF-8")) //06B24506B66BA5DA743CC8E2F67977C212379FCE7FF8F3BB99AC7A2A0C053D595B1A4077E9C9346453A95067BCED38338920DF8CC85F4ED3313A7039D37DFCD7 </cfscript>
Output
4825D8AB22800A9BE09986366D6430CA8E704323E4470608AC303A9F1C05626F06B24506B66BA5DA743CC8E2F67977C212379FCE7FF8F3BB99AC7A2A0C053D595B1A4077E9C9346453A95067BCED38338920DF8CC85F4ED3313A7039D37DFCD7