hash_equals - Timing attack safe string comparison
Вернуться к: Hash
hash_equals
(PHP 5 >= 5.6.0, PHP 7)
hash_equals — Timing attack safe string comparison
Описание
$known_string
, string $user_string
)Compares two strings using the same time whether they're equal or not.
This function should be used to mitigate timing attacks; for instance, when testing crypt() password hashes.
Список параметров
-
known_string
-
The string of known length to compare against
-
user_string
-
The user-supplied string
Возвращаемые значения
Returns TRUE
when the two strings are equal, FALSE
otherwise.
Ошибки
Emits an E_WARNING
message when either of the
supplied parameters is not a string.
Примеры
Пример #1 example
<?php
$expected = crypt('12345', '$2a$07$usesomesillystringforsalt$');
$correct = crypt('12345', '$2a$07$usesomesillystringforsalt$');
$incorrect = crypt('apple', '$2a$07$usesomesillystringforsalt$');
var_dump(hash_equals($expected, $correct));
var_dump(hash_equals($expected, $incorrect));
?>
Результат выполнения данного примера:
bool(true) bool(false)
Примечания
Замечание:
Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied,
FALSE
is returned immediately and the length of the known string may be leaked in case of a timing attack.
Замечание:
It is important to provide the user-supplied string as the second parameter, rather than the first.
Вернуться к: Hash