<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Timing attack safe string comparison</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.hash-copy.html">hash_copy</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.hash-file.html">hash_file</a></div> <div class="up"><a href="ref.hash.html">Hash Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.hash-equals" class="refentry"> <div class="refnamediv"> <h1 class="refname">hash_equals</h1> <p class="verinfo">(PHP 5 >= 5.6.0, PHP 7)</p><p class="refpurpose"><span class="refname">hash_equals</span> — <span class="dc-title">Timing attack safe string comparison</span></p> </div> <div class="refsect1 description" id="refsect1-function.hash-equals-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">bool</span> <span class="methodname"><strong>hash_equals</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$known_string</code></span> , <span class="methodparam"><span class="type">string</span> <code class="parameter">$user_string</code></span> )</div> <p class="para rdfs-comment"> Compares two strings using the same time whether they're equal or not. </p> <p class="para"> This function should be used to mitigate timing attacks; for instance, when testing <span class="function"><a href="function.crypt.html" class="function">crypt()</a></span> password hashes. </p> </div> <div class="refsect1 parameters" id="refsect1-function.hash-equals-parameters"> <h3 class="title">Parameters</h3> <dl> <dt> <code class="parameter">known_string</code></dt> <dd> <p class="para"> The <span class="type"><a href="language.types.string.html" class="type string">string</a></span> of known length to compare against </p> </dd> <dt> <code class="parameter">user_string</code></dt> <dd> <p class="para"> The user-supplied string </p> </dd> </dl> </div> <div class="refsect1 returnvalues" id="refsect1-function.hash-equals-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns <strong><code>TRUE</code></strong> when the two strings are equal, <strong><code>FALSE</code></strong> otherwise. </p> </div> <div class="refsect1 errors" id="refsect1-function.hash-equals-errors"> <h3 class="title">Errors/Exceptions</h3> <p class="para"> Emits an <strong><code>E_WARNING</code></strong> message when either of the supplied parameters is not a string. </p> </div> <div class="refsect1 examples" id="refsect1-function.hash-equals-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-923"> <p><strong>Example #1 <span class="function"><strong>hash_equals()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$expected </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'12345'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$correct </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'12345'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$incorrect </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'apple'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">hash_equals</span><span style="color: #007700">(</span><span style="color: #0000BB">$expected</span><span style="color: #007700">, </span><span style="color: #0000BB">$correct</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">hash_equals</span><span style="color: #007700">(</span><span style="color: #0000BB">$expected</span><span style="color: #007700">, </span><span style="color: #0000BB">$incorrect</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p>The above example will output:</p></div> <div class="example-contents screen"> <div class="cdata"><pre> bool(true) bool(false) </pre></div> </div> </div> </p> </div> <div class="refsect1 notes" id="refsect1-function.hash-equals-notes"> <h3 class="title">Notes</h3> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, <strong><code>FALSE</code></strong> is returned immediately and the length of the known string may be leaked in case of a timing attack. </p> </p></blockquote> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> It is important to provide the user-supplied string as the second parameter, rather than the first. </p> </p></blockquote> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.hash-copy.html">hash_copy</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.hash-file.html">hash_file</a></div> <div class="up"><a href="ref.hash.html">Hash Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>