PHPhash_equalspolyfill-php tutorial

I saw a version in php.net, but there are a lot of downvotes in the pipeline, I don't know why. {Code...} if the number of this letter is really bad, please explain the reason, it is best to give an alternative solution, too. From stackoverflow, we can see the following: {code...} seems to have seen a version with the above pol... in php.net. However, there are many downvotes in the pipeline, I don't know why.

if(!function_exists('hash_equals')) {  function hash_equals($str1, $str2) {    if(strlen($str1) != strlen($str2)) {      return false;    } else {      $res = $str1 ^ $str2;      $ret = 0;      for($i = strlen($res) - 1; $i >= 0; $i--) $ret |= ord($res[$i]);      return !$ret;    }  }}

If the number of this letter is really bad, it is better to give an alternative solution to explain the cause.

Stackoverflow shows the following:

PHP_FUNCTION(hash_equals){    /* ... */    if (Z_STRLEN_P(known_zval) != Z_STRLEN_P(user_zval)) {        RETURN_FALSE;    }    /* ... */    /* This is security sensitive code. Do not optimize this for speed. */    for (j = 0; j < Z_STRLEN_P(known_zval); j++) {        result |= known_str[j] ^ user_str[j];    }    RETURN_BOOL(0 == result);}

It seems that there is nothing different from the polyfill above.

Reply content:

I saw a version in php.net, but there are a lot of downvotes in the pipeline, I don't know why.

if(!function_exists('hash_equals')) {  function hash_equals($str1, $str2) {    if(strlen($str1) != strlen($str2)) {      return false;    } else {      $res = $str1 ^ $str2;      $ret = 0;      for($i = strlen($res) - 1; $i >= 0; $i--) $ret |= ord($res[$i]);      return !$ret;    }  }}

If the number of this letter is really bad, it is better to give an alternative solution to explain the cause.

Stackoverflow shows the following:

PHP_FUNCTION(hash_equals){    /* ... */    if (Z_STRLEN_P(known_zval) != Z_STRLEN_P(user_zval)) {        RETURN_FALSE;    }    /* ... */    /* This is security sensitive code. Do not optimize this for speed. */    for (j = 0; j < Z_STRLEN_P(known_zval); j++) {        result |= known_str[j] ^ user_str[j];    }    RETURN_BOOL(0 == result);}

It seems that there is nothing different from the polyfill above.

The type is not strict, so if attackers can control the type of input parameters in some way, they can attack

phpfunction bug_hash_equals($str1, $str2) {    if(strlen($str1) != strlen($str2)) {      return false;    } else {      $res = $str1 ^ $str2;      $ret = 0;      for($i = strlen($res) - 1; $i >= 0; $i--) $ret |= ord($res[$i]);      return !$ret;    }}var_dump(bug_hash_equals('aaabbb', 0.0001));//true

Http://sandbox.onlinephpfunctions.com/code/e7c978d047486534441403a88680cefb85b1a48c