hash_equals

Advertisement

Summery Summery

Timing attack safe string comparison

Syntax Syntax

hash_equals( string $a, string $b )

Description Description

Compares two strings using the same time whether they’re equal or not.

Note: It can leak the length of a string when arguments of differing length are supplied.

This function was added in PHP 5.6. However, the Hash extension may be explicitly disabled on select servers. As of PHP 7.4.0, the Hash extension is a core PHP extension and can no longer be disabled. I.e. when PHP 7.4.0 becomes the minimum requirement, this polyfill can be safely removed.

Parameters Parameters

$a

(string) (Required) Expected string.

$b

(string) (Required) Actual, user supplied, string.

Return Return

(bool) Whether strings are equal.

Source Source

File: wp-includes/compat.php

		if ( strlen( $b ) !== $a_length ) {
			return false;
		}
		$result = 0;

		// Do not attempt to "optimize" this.
		for ( $i = 0; $i < $a_length; $i++ ) {
			$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
		}

		return 0 === $result;
	}
endif;

Advertisement

Changelog Changelog

Changelog
Version Description
3.9.2 Introduced.

Advertisement

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.