hash_equals

(PHP 5 >= 5.6.0)

hash_equalsTiming attack safe string comparison

Опис

bool hash_equals ( string $known_string , string $user_string )

Compares two strings using the same time whether they're equal or not.

This function should be used to mitigate timing attacks; for instance, when testing crypt() password hashes.

Параметри

known_string

The string of known length to compare against

user_string

The user-supplied string

Значення, що повертаються

Returns TRUE when the two strings are equal, FALSE otherwise.

Помилки/Винятки

Emits an E_WARNING message when either of the supplied parameters is not a string.

Приклади

Приклад #1 example

<?php
$expected  
crypt('12345''$2a$07$usesomesillystringforsalt$');
$correct   crypt('12345''$2a$07$usesomesillystringforsalt$');
$incorrect crypt('apple',  '$2a$07$usesomesillystringforsalt$');

var_dump(hash_equals($expected$correct));
var_dump(hash_equals($expected$incorrect));
?>

Наведений вище приклад виведе:

bool(true)
bool(false)

Примітки

Зауваження:

Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, FALSE is returned immediately and the length of the known string may be leaked in case of a timing attack.

Зауваження:

It is important to provide the user-supplied string as the second parameter, rather than the first.

add a note add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top