Whatever message this page gives is out now! Go check it out!

Hash

Last update:
May 18, 2026

Description

Converts a variable-length string to a fixed-length string that can act as a "fingerprint" or identifier for the original string. It is not possible to convert the hash result back to the source string.

Returns

A string.

Category

Conversion functionsSecurity functionsString functions

Function syntax

hash(string [, algorithm [, encoding] [,outputEncoding] [, iterations ]])

History

  • ColdFusion (2025 release):
    • Added the parameter outputEncoding.
    • Removed CFMX_COMPAT algorithm support. The default algorithm 'CFMX_COMPAT' has been changed to 'SHA_256'.
  • ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14: Changed the default algorithm from CFMX_COMPAT to SHA-256.
  • ColdFusion MX 7: Added the algorithm and encoding parameters.
  • ColdFusion 10: Added the iterations argument.

Parameters

Parameter
Description
string
String to hash .
algorithm
(Optional) The algorithm to use to hash the string. ColdFusion installs a cryptography library with the following algorithms:
  • CFMX_COMPAT: Generates a hash string identical to that generated by ColdFusion MX and ColdFusion MX 6.1. It is only a place holder algorithm that informs ColdFusion to use an algorithm compatible with CFMX if the user does not have any option to provide algorithm. This is no longer the default algorithm.
  • MD5: Generates a 32-character, hexadecimal string, using the MD5 algorithm (The algorithm used in ColdFusion MX and prior releases).
  • SHA: Generates a 40-character string using the Secure Hash Standard SHA-1 algorithm specified by Nation Institute of Standards and Technology (NIST) FIPS-180-2.
  • SHA-256: (Default) Generates a 64-character string using the SHA-256 algorithm specified by FIPS-180-2.
  • SHA-384: Generates a 96-character string using the SHA-384 algorithm specified by FIPS-180-2.
  • SHA-512: Generates a 128-character string using the SHA-512 algorithm specified by FIPS-180-2.
The Enterprise Edition of ColdFusion installs the RSA BSafe Crypto-J library, which provides FIPS-140 Compliant Strong Cryptography. It includes the following algorithms:
  • MD2: The MD2 hash algorithm defined by RFC 1319.
  • MD5: The defined by RFC 1321.
  • RIPEMD160: RACE Integrity Primitives Evaluation Message Digest 160-bit message digest algorithm and cryptographic hash function.
  • SHA-1: The 160-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198.
  • SHA-224: The 224-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198.
  • SHA-256: The 256-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198.
  • SHA-384: The 384-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198.
  • SHA-512: The 512-bit secure hash algorithm defined by FIPS 180-2 and FIPS 198. If you install a security provider with additional cryptography algorithms, you can also specify any of its hashing algorithms.
encoding
(Optional; to use this attribute, also specify the algorithm parameter) A string specifying the encoding to use when converting the string to byte data used by the hash algorithm. Must be a character encoding name recognized by the Java runtime. The default value is the value specified by the defaultCharset entry in the neo-runtime. xml file, which is normally UTF-8. Ignored when using the CFMX_COMPAT algorithm.
outputEncoding
Represents the format or representation of the hash value (also known as the hash digest) that is produced after the hashing algorithm processes the input data. The possible values are:
  • hex
  • base64
  • base64url
iterations
(Optional) The number of times to iterate hashing, to increase hash computation time. CF10+.
ColdFusion considers number of iterations after hashing the given value. Hence, this parameter is the number of iterations + 1. The default number of additional iterations is 0.

Usage

The result of this function is useful for comparison and validation. For example, you can store the hash of a password in a database without exposing the password. You can check the validity of the password by hashing the entered password and comparing the result with the hashed password in the database. ColdFusion uses the Java Cryptography Extension (JCE) and installs a Sun Java runtime that includes the Sun JCE default security provider. This provider includes the algorithms listed in the Parameters section. The JCE framework includes facilities for using other provider implementations; however, Adobe cannot provide technical support for third-party security providers. The encoding attribute is normally not required. It provides a mechanism for generating identical hash values on systems with different default encodings. ColdFusion uses a default encoding of UTF-8 unless you modify the defaultCharset entry in the neo-runtime. xml file.

Example

The following example lets you enter a password and compares the hashed password with a hash value saved in the SecureData table of the cfdocexamples database. This table has the following entries:
User ID
Password
blaw
blaw
dknob
dknob
<cfscript>
    // SHA-256 example
    writeOutput(hash("an important string", "SHA-256", "UTF-8")) 
    // 4825D8AB22800A9BE09986366D6430CA8E704323E4470608AC303A9F1C05626F
    // SHA-512 example
    writeOutput(hash("an important string", "SHA-512", "UTF-8")) 
    //06B24506B66BA5DA743CC8E2F67977C212379FCE7FF8F3BB99AC7A2A0C053D595B1A4077E9C9346453A95067BCED38338920DF8CC85F4ED3313A7039D37DFCD7
</cfscript>
Output
4825D8AB22800A9BE09986366D6430CA8E704323E4470608AC303A9F1C05626F06B24506B66BA5DA743CC8E2F67977C212379FCE7FF8F3BB99AC7A2A0C053D595B1A4077E9C9346453A95067BCED38338920DF8CC85F4ED3313A7039D37DFCD7
Example using SHA-384
<cfscript>
    // String to hash
    originalString = "MySecretMessage";    
   // Hash using SHA-384
    hashedString = hash(originalString, "SHA-384");   
    // Output the hashed string
    writeOutput("Original String: " & originalString & "<br>");
    writeOutput("SHA-384 Hashed String: " & hashedString);
</cfscript>
Output
Original String: MySecretMessage

SHA-384 Hashed String: 13F30E9D72C3E1C3B0F2002DFA6CD9483BA0F7CBB515FB8D20DC6144F7D31AA46801345C5E646563842B2D2CB1F54E49
Example- using outputEncoding="hex"
<cfscript>
    string="This is a string to be encoded."
    writeOutput(hash(string=string, algorithm="SHA-256", encoding="UTF-8",outputEncoding="hex"))
</cfscript>
Output
23BB33716657E6647EDAEDB7B5D3E1AADC61410966C933A7F40ADAD7C13489B6
Example- outputEncoding="base64"
<cfscript>
    string="This is a string to be encoded."
    writeOutput(hash(string=string, algorithm="SHA-256", encoding="UTF-8",outputEncoding="base64"))
</cfscript>
Output
I7szcWZX5mR+2u23tdPhqtxhQQlmyTOn9Ara18E0ibY=
Example- using outputEncoding="base64url"
<cfscript>
    string="This is a string to be encoded."
    writeOutput(hash(string=string, algorithm="SHA-256", encoding="UTF-8",outputEncoding="base64url"))
</cfscript>
Output
I7szcWZX5mR-2u23tdPhqtxhQQlmyTOn9Ara18E0ibY

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page