Use SHA-256
For most PHP applications — API signatures, HMAC tokens, file integrity, JWT signing — SHA-256 is the right choice. It's fast, widely supported, and cryptographically secure.
Not for passwords
None of these hashes are suitable for passwords. They're designed to be fast — which is exactly wrong for passwords. Use BCrypt, Argon2, or scrypt for passwords instead.
MD5 and SHA-1
MD5 and SHA-1 have known collision vulnerabilities — two different inputs can produce the same hash. They're still useful for non-security tasks like cache keys, but avoid them for anything security-sensitive.
hash() function
In PHP: hash('sha256', $input) returns the hex digest. Use hash_hmac('sha256', $data, $secret) for authenticated hashes like API request signing.
Hashing, HMAC, JWT signing, API authentication — covered in our PHP developer ebooks and courses.