hash_equals( string $a, string $b )

Timing attack safe string comparison

Description

Compares two strings using the same time whether they’re equal or not.

Note: It can leak the length of a string when arguments of differing length are supplied.

This function was added in PHP 5.6. However, the Hash extension may be explicitly disabled on select servers. As of PHP 7.4.0, the Hash extension is a core PHP extension and can no longer be disabled. I.e. when PHP 7.4.0 becomes the minimum requirement, this polyfill can be safely removed.

Parameters

$a

(string) (Required) Expected string.

$b

(string) (Required) Actual, user supplied, string.

Return

(bool) Whether strings are equal.

Source

File: wp-includes/compat.php 

function hash_equals( $a, $b ) {
		$a_length = strlen( $a );
		if ( strlen( $b ) !== $a_length ) {
			return false;
		}
		$result = 0;

		// Do not attempt to "optimize" this.
		for ( $i = 0; $i < $a_length; $i++ ) {
			$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
		}

		return 0 === $result;
	}

Used By

Used By Description
wp-includes/rest-api/endpoints/class-wp-rest-widgets-controller.php: WP_REST_Widgets_Controller::save_widget()

Saves the widget in the request object.
wp-includes/rest-api/endpoints/class-wp-rest-widget-types-controller.php: WP_REST_Widget_Types_Controller::encode_form_data()

An RPC-style endpoint which can be used by clients to turn user input in a widget admin form into an encoded instance object.
wp-includes/class-wp-recovery-mode-cookie-service.php: WP_Recovery_Mode_Cookie_Service::validate_cookie()

Validates the recovery mode cookie.
wp-includes/comment.php: wp_get_unapproved_comment_author_email()

Get unapproved comment author’s email.
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php: WP_REST_Posts_Controller::get_item_permissions_check()

Checks if a given request has access to read a post.
wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php: WP_REST_Posts_Controller::can_access_password_content()

Checks if the user can access password-protected content.
wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::render_nav_menu_partial()

Render a specific menu via wp_nav_menu() using the supplied arguments.
wp-includes/pluggable.php: wp_verify_nonce()

Verifies that a correct security nonce was used with time limit.
wp-includes/pluggable.php: wp_check_password()

Checks the plaintext password against the encrypted Password.
wp-includes/pluggable.php: wp_validate_auth_cookie()

Validates authentication cookie.
wp-includes/user.php: check_password_reset_key()

Retrieves a user row based on password reset key and login
wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::sanitize_widget_instance()

Sanitizes a widget instance.

Changelog

Version Description
3.9.2 Introduced.

© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/hash_equals