hash_equals( string $a, string $b )

Timing attack safe string comparison

Contents

Description Description

Compares two strings using the same time whether they’re equal or not.

Note: It can leak the length of a string when arguments of differing length are supplied.

This function was added in PHP 5.6. However, the Hash extension may be explicitly disabled on select servers. As of PHP 7.4.0, the Hash extension is a core PHP extension and can no longer be disabled. I.e. when PHP 7.4.0 becomes the minimum requirement, this polyfill can be safely removed.

Parameters Parameters

$a

(string) (Required) Expected string.

$b

(string) (Required) Actual, user supplied, string.

Top ↑

Return Return

(bool) Whether strings are equal.

Top ↑

Source Source

File: wp-includes/compat.php 

	function hash_equals( $a, $b ) {
		$a_length = strlen( $a );
		if ( $a_length !== strlen( $b ) ) {
			return false;
		}
		$result = 0;

		// Do not attempt to "optimize" this.
		for ( $i = 0; $i < $a_length; $i++ ) {
			$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
		}

		return $result === 0;
	}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
3.9.2 Introduced.

Top ↑

Top ↑

Used By Used By

Used By
Used By Description
wp-includes/class-wp-recovery-mode-cookie-service.php: WP_Recovery_Mode_Cookie_Service::validate_cookie()

Validates the recovery mode cookie.
wp-includes/comment.php: wp_get_unapproved_comment_author_email()

Get unapproved comment author’s email.
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php: WP_REST_Posts_Controller::get_item_permissions_check()

Checks if a given request has access to read a post.
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php: WP_REST_Posts_Controller::can_access_password_content()

Checks if the user can access password-protected content.
wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::render_nav_menu_partial()

Render a specific menu via wp_nav_menu() using the supplied arguments.
wp-includes/pluggable.php: wp_verify_nonce()

Verifies that a correct security nonce was used with time limit.
wp-includes/pluggable.php: wp_check_password()

Checks the plaintext password against the encrypted Password.
wp-includes/pluggable.php: wp_validate_auth_cookie()

Validates authentication cookie.
wp-includes/user.php: check_password_reset_key()

Retrieves a user row based on password reset key and login
wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::sanitize_widget_instance()

Sanitizes a widget instance.
Show 5 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

You must log in before being able to contribute a note or feedback.