You are here

Home » API reference » Zircon Profile 8.0 » Crypt.php » Crypt

public static function Crypt::hashEquals in Zircon Profile 8.0

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Component/Utility/Crypt.php \Drupal\Component\Utility\Crypt::hashEquals()

Compares strings in constant time.

Parameters

string $known_string: The expected string.

string $user_string: The user supplied string to check.

Return value

bool Returns TRUE when the two strings are equal, FALSE otherwise.

5 calls to Crypt::hashEquals()
AccountForm::form in core/modules/user/src/AccountForm.php
Gets the actual form array to be built.
PhpassHashedPassword::check in core/lib/Drupal/Core/Password/PhpassHashedPassword.php
Check whether a plain text password matches a hashed password.
rebuild.php in core/rebuild.php
Rebuilds all Drupal caches even when Drupal itself does not work.
UserController::confirmCancel in core/modules/user/src/Controller/UserController.php
Confirms cancelling a user account via an email link.
UserController::resetPass in core/modules/user/src/Controller/UserController.php
Returns the user password reset page.

File

core/lib/Drupal/Component/Utility/Crypt.php, line 146
Contains \Drupal\Component\Utility\Crypt.

Class

Crypt
Utility class for cryptographically-secure string handling routines.

Namespace

Drupal\Component\Utility

Code

public static function hashEquals($known_string, $user_string) {
  if (function_exists('hash_equals')) {
    return hash_equals($known_string, $user_string);
  }
  else {

    // Backport of hash_equals() function from PHP 5.6
    // @see https://github.com/php/php-src/blob/PHP-5.6/ext/hash/hash.c#L739
    if (!is_string($known_string)) {
      trigger_error(sprintf("Expected known_string to be a string, %s given", gettype($known_string)), E_USER_WARNING);
      return FALSE;
    }
    if (!is_string($user_string)) {
      trigger_error(sprintf("Expected user_string to be a string, %s given", gettype($user_string)), E_USER_WARNING);
      return FALSE;
    }
    $known_len = strlen($known_string);
    if ($known_len !== strlen($user_string)) {
      return FALSE;
    }

    // This is security sensitive code. Do not optimize this for speed.
    $result = 0;
    for ($i = 0; $i < $known_len; $i++) {
      $result |= ord($known_string[$i]) ^ ord($user_string[$i]);
    }
    return $result === 0;
  }
}