hash_equals

Timing attack safe string comparison.

Description

hash_equals( (string) $a, (string) $b ); 

Compares two strings using the same time whether they're equal or not.

This function was added in PHP 5.6.

Note: It can leak the length of a string when arguments of differing length are supplied.

Parameters (2)

0. $a (string)
Expected string.
1. $b (string)
Actual, user supplied, string.

Usage

  1. if ( !function_exists( 'hash_equals' ) ) { 
  2.     require_once ABSPATH . WPINC . '/compat.php'; 
  4.   
  5. // Expected string. 
  6. $a = ''; 
  7.   
  8. // Actual, user supplied, string. 
  9. $b = ''; 
  10.   
  11. // NOTICE! Understand what this does before running. 
  12. $result = hash_equals($a, $b); 
  13.     

Defined (1)

The function is defined in the following location(s).

/wp-includes/compat.php  
  1. function hash_equals( $a, $b ) { 
  2.     $a_length = strlen( $a ); 
  3.     if ( $a_length !== strlen( $b ) ) { 
  4.         return false; 
  6.     $result = 0; 
  7.  
  8.     // Do not attempt to "optimize" this. 
  9.     for ( $i = 0; $i < $a_length; $i++ ) { 
  10.         $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] ); 
  12.  
  13.     return $result === 0;