Edward Z. Yang wrote:
I would recommend rolling a pure-PHP implementation of SHA-256 and siwtching to the hash implementation if it is present.
New crypto implementations often have far more security issues than the primitives they're implementing. Despite the known attacks on SHA-1, it's perfectly fine for password hashing, and it doesn't require external libraries. Use it, be merry.