Skip to main content

Security

@Crypt — cryptography (22 methods)

Hashing

ZYMBA
echo @Crypt.hash("hello", "md5"); // MD5 hex digest
echo @Crypt.hash("hello", "sha256"); // SHA-256 hex digest
echo @Crypt.hash("hello", "sha256", "key"); // HMAC-SHA256

// Raw binary output
$raw = @Crypt.hashRaw("hello", "sha256");

// Hash a file directly
$fileHash = @Crypt.hashFile("/path/to/file", "sha256");

// List available algorithms
$algos = @Crypt.listHashAlgorithms();

Password hashing

ZYMBA
$hash = @Crypt.hashPassword("mypassword");
$valid = @Crypt.verifyPassword("mypassword", $hash); // true

// Constant-time comparison for secrets (prevents timing attacks)
$safe = @Crypt.equalsTimeConstant($expectedToken, $inputToken);

Key derivation

ZYMBA
$derived = @Crypt.pbkdf2("password", "salt", "sha256", 10000, 32);

UUIDs and random

ZYMBA
echo @Crypt.createUUID(); // "567dfb5e-fbb0-40e3-..."
echo @Crypt.createTimeOrderedUUID(); // Time-ordered UUID (v7)
echo @Crypt.createNonce(16); // 16-byte random hex string
echo @Crypt.createNonceRaw(16); // 16 random bytes (binary)
echo @Crypt.createPassword(12); // Random 12-char readable password

JWT

ZYMBA
// Create a JWT
$token = @Crypt.createJWT(
[sub: "user123", exp: @Date.now() + 3600],
$secret,
"HS256"
);

// Verify a JWT
$claims = @Crypt.verifyJWT($token, $secret);
if ($claims is null) {
throw new @Exception("Invalid token");
}
echo $claims.sub; // "user123"

Symmetric encryption

ZYMBA
// Generate an initialization vector for the cipher
$iv = @Crypt.createIV("aes-256-cbc");

// Encrypt and decrypt
$encrypted = @Crypt.encrypt("secret data", $key, "aes-256-cbc", $iv);
$decrypted = @Crypt.decrypt($encrypted, $key, "aes-256-cbc", $iv);

// List available ciphers
$ciphers = @Crypt.listCiphers();

RSA key conversion

ZYMBA
$pem = @Crypt.convertPublicKeyRSAToPEM($exponent, $modulus);

@Exception — exception handling

ZYMBA
$e = new @Exception("Something went wrong");
echo $e.getMessage(); // "Something went wrong"
echo $e.getTracesAsString(); // Stack trace

Exceptions are created with new @Exception(message) and thrown with throw. When you catch a plain string that was thrown, the runtime wraps it in an exception object automatically:

ZYMBA
try {
throw "error message";
} catch ($e) {
echo $e.getMessage(); // "error message"
}

See Exception Handling for complete usage patterns.


Security best practices

Always hash passwords

ZYMBA
// NEVER store plain passwords
$hash = @Crypt.hashPassword($plainPassword);
// Store $hash in database

// Verify on login
if (!@Crypt.verifyPassword($inputPassword, $storedHash)) {
throw new @Exception("Invalid credentials");
}

Constant-time comparison for secrets

ZYMBA
// WRONG — timing attack vulnerable
if ($token == $expectedToken) { ... }

// CORRECT — constant-time comparison
if (@Crypt.equalsTimeConstant($expectedToken, $token)) { ... }

Use parameterized queries (not @Crypt)

SQL injection prevention is handled by @SQL.prepare(), not by cryptographic methods. See Database for details.