hash_equals

PHP 5 >= 5.6.0, PHP 7, PHP 8

hash_equals - Timing attack safe string comparison

Hash Equals Online Tool

Manual

Code Examples

hash_equals( string$known_string, string$user_string ): bool

Compares two strings using the same time whether they're equal or not.

This function should be used to mitigate timing attacks; for instance, when testing crypt password hashes.

Parameters

known_string: The string of known length to compare against
user_string: The user-supplied string

Return Values

Returns true when the two strings are equal, false otherwise.

Exceptions and Errors

Emits an E_WARNING message when either of the supplied parameters is not a string.

Notes

Note:

Both arguments must be of the same length to be compared successfully. When arguments of differing length are supplied, false is returned immediately and the length of the known string may be leaked in case of a timing attack.

Note:

It is important to provide the user-supplied string as the second parameter, rather than the first.

Example of hash_equals

Show all examples for hash_equals

Edit/Test in Sandbox

PHP Version:

hash_equals

Parameters

Return Values

Exceptions and Errors

Notes

Note:

Note:

Example of hash_equals

Function hash_equals:

HASH Message Digest Framework Functions

Most used PHP functions