function phutil_hashes_are_identical($u, $v)libphutil Technical Documentation (Core Utilities)
Compare two hashes for equality.
This function defuses two attacks: timing attacks and type juggling attacks.
In a timing attack, the attacker observes that strings which match the secret take slightly longer to fail to match because more characters are compared. By testing a large number of strings, they can learn the secret character by character. This defuses timing attacks by always doing the same amount of work.
In a type juggling attack, an attacker takes advantage of PHP's type rules where "0" == "0e12345" for any exponent. A portion of of hexadecimal hashes match this pattern and are vulnerable. This defuses this attack by performing bytewise character-by-character comparison.
It is questionable how practical these attacks are, but they are possible in theory and defusing them is straightforward.
string | $u | First hash. |
string | $v | Second hash. |
bool | True if hashes are identical. |
- Defined
- src/utils/utils.php:1661