Submit a Pull Request Report a Bug

    hash_equals

    (PHP 5 >= 5.6.0, PHP 7, PHP 8)

    hash_equalsTiming attack safe string comparison

    Descrição

    hash_equals(string $known_string, string $user_string): bool

    Compares two strings using the same time whether they're equal or not.

    This function should be used to mitigate timing attacks; for instance, when testing crypt() password hashes.

    Parâmetros

    known_string

    The string of known length to compare against

    user_string

    The user-supplied string

    Valor Retornado

    Returns true when the two strings are equal, false otherwise.

    Exemplos

    Exemplo #1 hash_equals() example

    <?php
    $expected     = crypt('12345', '$2a$07$usesomesillystringforsalt$');
    $correct = crypt('12345', '$2a$07$usesomesillystringforsalt$');
    $incorrect = crypt('apple', '$2a$07$usesomesillystringforsalt$');

    var_dump(hash_equals($expected, $correct));
    var_dump(hash_equals($expected, $incorrect));
    ?>

    O exemplo acima produzirá:

    bool(true)
bool(false)

    Notas

    Nota:

    Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, false is returned immediately and the length of the known string may be leaked in case of a timing attack.

    Nota:

    It is important to provide the user-supplied string as the second parameter, rather than the first.

    add a note

    User Contributed Notes

    There are no user contributed notes for this page.
    To Top