Security
@Crypt — cryptography (22 methods)
Hashing
ZYMBA
echo @Crypt.hash("hello", "md5"); // MD5 hex digest
echo @Crypt.hash("hello", "sha256"); // SHA-256 hex digest
echo @Crypt.hash("hello", "sha256", "key"); // HMAC-SHA256
// Raw binary output
$raw = @Crypt.hashRaw("hello", "sha256");
// Hash a file directly
$fileHash = @Crypt.hashFile("/path/to/file", "sha256");
// List available algorithms
$algos = @Crypt.listHashAlgorithms();
Password hashing
ZYMBA
$hash = @Crypt.hashPassword("mypassword");
$valid = @Crypt.verifyPassword("mypassword", $hash); // true
// Constant-time comparison for secrets (prevents timing attacks)
$safe = @Crypt.equalsTimeConstant($expectedToken, $inputToken);
Key derivation
ZYMBA
$derived = @Crypt.pbkdf2("password", "salt", "sha256", 10000, 32);
UUIDs and random
ZYMBA
echo @Crypt.createUUID(); // "567dfb5e-fbb0-40e3-..."
echo @Crypt.createTimeOrderedUUID(); // Time-ordered UUID (v7)
echo @Crypt.createNonce(16); // 16-byte random hex string
echo @Crypt.createNonceRaw(16); // 16 random bytes (binary)
echo @Crypt.createPassword(12); // Random 12-char readable password
JWT
ZYMBA
// Create a JWT
$token = @Crypt.createJWT(
[sub: "user123", exp: @Date.now() + 3600],
$secret,
"HS256"
);
// Verify a JWT
$claims = @Crypt.verifyJWT($token, $secret);
if ($claims is null) {
throw new @Exception("Invalid token");
}
echo $claims.sub; // "user123"
Symmetric encryption
ZYMBA
// Generate an initialization vector for the cipher
$iv = @Crypt.createIV("aes-256-cbc");
// Encrypt and decrypt
$encrypted = @Crypt.encrypt("secret data", $key, "aes-256-cbc", $iv);
$decrypted = @Crypt.decrypt($encrypted, $key, "aes-256-cbc", $iv);
// List available ciphers
$ciphers = @Crypt.listCiphers();
RSA key conversion
ZYMBA
$pem = @Crypt.convertPublicKeyRSAToPEM($exponent, $modulus);
@Exception — exception handling
ZYMBA
$e = new @Exception("Something went wrong");
echo $e.getMessage(); // "Something went wrong"
echo $e.getTracesAsString(); // Stack trace
Exceptions are created with new @Exception(message) and thrown with throw. When you catch a plain string that was thrown, the runtime wraps it in an exception object automatically:
ZYMBA
try {
throw "error message";
} catch ($e) {
echo $e.getMessage(); // "error message"
}
See Exception Handling for complete usage patterns.
Security best practices
Always hash passwords
ZYMBA
// NEVER store plain passwords
$hash = @Crypt.hashPassword($plainPassword);
// Store $hash in database
// Verify on login
if (!@Crypt.verifyPassword($inputPassword, $storedHash)) {
throw new @Exception("Invalid credentials");
}
Constant-time comparison for secrets
ZYMBA
// WRONG — timing attack vulnerable
if ($token == $expectedToken) { ... }
// CORRECT — constant-time comparison
if (@Crypt.equalsTimeConstant($expectedToken, $token)) { ... }
Use parameterized queries (not @Crypt)
SQL injection prevention is handled by @SQL.prepare(), not by cryptographic methods. See Database for details.