Query: hash_equals
OS: php
Section: 3
Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar
HASH_EQUALS(3) 1 HASH_EQUALS(3) hash_equals - Timing attack safe string comparisonSYNOPSISbool hash_equals (string $known_string, string $user_string)DESCRIPTIONCompares two strings using the same time whether they're equal or not. This function should be used to mitigate timing attacks; for instance, when testing crypt(3) password hashes.PARAMETERSo $known_string - The string of known length to compare against o $user_string - The user-supplied stringRETURN VALUESReturns TRUE when the two strings are equal, FALSE otherwise.ERRORS/EXCEPTIONS Emits an E_WARNING message when either of the supplied parameters is not a string.EXAMPLESExample #1 example <?php $expected = crypt('12345', '$2a$07$usesomesillystringforsalt$'); $correct = crypt('12345', '$2a$07$usesomesillystringforsalt$'); $incorrect = crypt('apple', '$2a$07$usesomesillystringforsalt$'); var_dump(hash_equals($expected, $correct)); var_dump(hash_equals($expected, $incorrect)); ?> The above example will output: bool(true) bool(false)NOTESNote Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, FALSE is returned immediately and the length of the known string may be leaked in case of a timing attack. Note It is important to provide the user-supplied string as the second parameter, rather than the first. PHP Documentation Group HASH_EQUALS(3)