Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

hash_equals(3) [php man page]

HASH_EQUALS(3)								 1							    HASH_EQUALS(3)

hash_equals - Timing attack safe string comparison

SYNOPSIS

       bool hash_equals (string  $known_string, string	$user_string)

DESCRIPTION

	Compares two strings using the same time whether they're equal or not.

	This function should be used to mitigate timing attacks; for instance, when testing crypt(3) password hashes.

PARAMETERS

	      o $known_string
		- The string of known length to compare against

	      o $user_string
		- The user-supplied string

RETURN VALUES

	Returns TRUE when the two strings are equal, FALSE otherwise.

ERRORS
/EXCEPTIONS
	Emits an E_WARNING message when either of the supplied parameters is not a string.

EXAMPLES

       Example #1

	       example

	      <?php
	      $expected  = crypt('12345', '$2a$07$usesomesillystringforsalt$');
	      $correct	 = crypt('12345', '$2a$07$usesomesillystringforsalt$');
	      $incorrect = crypt('apple',  '$2a$07$usesomesillystringforsalt$');

	      var_dump(hash_equals($expected, $correct));
	      var_dump(hash_equals($expected, $incorrect));
	      ?>

	      The above example will output:

	      bool(true)
	      bool(false)

NOTES

       Note

	       Both  arguments	must  be of the same length to be compared successfully. When arguments of differing length are supplied, FALSE is
	      returned immediately and the length of the known string may be leaked in case of a timing attack.

       Note

	       It is important to provide the user-supplied string as the second parameter, rather than the first.

PHP Documentation Group 													    HASH_EQUALS(3)

Check Out this Related Man Page

OPENSSL_RANDOM_PSEUDO_BYTES(3)						 1					    OPENSSL_RANDOM_PSEUDO_BYTES(3)

openssl_random_pseudo_bytes - Generate a pseudo-random string of bytes

SYNOPSIS

       string openssl_random_pseudo_bytes (int	$length, [bool	&$crypto_strong])

DESCRIPTION

	Generates a string of pseudo-random bytes, with the number of bytes determined by the $length parameter.

	It  also  indicates  if  a  cryptographically strong algorithm was used to produce the pseudo-random bytes, and does this via the optional
       $crypto_strong parameter. It's rare for this to be FALSE, but some systems may be broken or old.

PARAMETERS

	      o $length
		- The length of the desired string of bytes. Must be a positive integer. PHP will try to cast this parameter to a non-null integer
		to use it.

	      o $crypto_strong
		-  If  passed  into  the  function,  this  will  hold a boolean value that determines if the algorithm used was "cryptographically
		strong", e.g., safe for usage with GPG, passwords, etc.  TRUE if it did, otherwise FALSE

RETURN VALUES

	Returns the generated string of bytes on success, or FALSE on failure.

EXAMPLES

       Example #1

	      openssl_random_pseudo_bytes(3) example

	      <?php
	      for ($i = -1; $i <= 4; $i++) {
		  $bytes = openssl_random_pseudo_bytes($i, $cstrong);
		  $hex	 = bin2hex($bytes);

		  echo "Lengths: Bytes: $i and Hex: " . strlen($hex) . PHP_EOL;
		  var_dump($hex);
		  var_dump($cstrong);
		  echo PHP_EOL;
	      }
	      ?>

	      The above example will output something similar to:

	      Lengths: Bytes: -1 and Hex: 0
	      string(0) ""
	      NULL

	      Lengths: Bytes: 0 and Hex: 0
	      string(0) ""
	      NULL

	      Lengths: Bytes: 1 and Hex: 2
	      string(2) "42"
	      bool(true)

	      Lengths: Bytes: 2 and Hex: 4
	      string(4) "dc6e"
	      bool(true)

	      Lengths: Bytes: 3 and Hex: 6
	      string(6) "288591"
	      bool(true)

	      Lengths: Bytes: 4 and Hex: 8
	      string(8) "ab86d144"
	      bool(true)

SEE ALSO 
random_bytes(3), bin2hex(3), crypt(3), mt_rand(3), uniqid(3).
PHP Documentation Group 											    OPENSSL_RANDOM_PSEUDO_BYTES(3)
Man Page