Introduction
Recently, there is a post on Hacker News (https://news.ycombinator.com/item?id=9484757) that mentions a way to detect how a Web site passwords are encrypted.
The results are:
BOOL (TRUE) bool (TRUE) bool (true)
If a website, using 240610708 as a password, and then log in with Qnkcdzo, the results can be logged in, indicating that the password is saved in MD5 way. Similarly, if you use Aarozmok as the password, and then log in with Aak1stfy, the results can be logged in, the password is stored in SHA1 way. The third, of course, is the plaintext store.
AnalysisTake the first set of numbers as an example:
The result of MD5 (' 240610708 ') is: 0e462097431906509019562988736854md5 (' Qnkcdzo ') The result is: 0e830400451993494058024219903391
Because PHP is a weakly typed language, when using the = = number, if you compare a number and a string or compare strings that involve digital content, the string is converted to numeric values and compared to numeric values. This rule also applies to switch statements. The two strings in the above example just start with the scientific notation of 0e, and the strings are implicitly converted to floating-point numbers, which are actually equivalent to 0x10^0, and therefore are equal in comparison.
Similar The first return is true, the second returns false
conclusion Hash check in PHP should use "= = =" instead of "= =". In addition, if the production environment version is high enough (PHP >= 5.6.0), it is best to use the Hash_equals () function.
Hash_equals () compares two strings, regardless of whether they are equal, the time consumption of the function is constant and can be used to prevent sequential attacks.