strcmp vs. == vs. === in PHP for checking hash equality

前端 未结 4 1565
暗喜
暗喜 2021-02-19 00:46

I\'m using crypt() to hash passwords in PHP, and am trying to work out the safest way of testing equality of the resulting hash when performing password checks.

4条回答
  •  日久生厌
    2021-02-19 01:10

    When it comes to security I prefer to use the === operator. === ensures the two operands are exactly the same, without trying to accomodate some casting in order to "help" the comparison to reach a successful match - as it may help while developing thanks to a loose-typed language, like PHP.

    Of course, one of the operand is to be trusted. A hash from the database is trustable, while the user input is not.

    One can always dither for a while, coming to the conclusion there is no risk using == in a specific case. Maybe. But for instance

      "0afd9f7b678fdefca" == 0 is true
      "aafd9f7b678fdefca" == 0 is also true
    

    as PHP tries to convert the "hash" into a number (probably using atoi) which gives 0. While it is unlikely crypt returns 0, I'd prefer to maximize the cases where the passwords don't match (and answer a support call) by using ===, than allowing a rare case that I didn't think about by using ==.

    As for strcmp, the function returns <0 or >0 if different, and 0 if equal. But

      strcmp("3", 0003) returns 0
      strcmp("0003", 0003) returns -3
    

    which are not surprising after all. A literal 0003 is actually an integer, 3 and since strcmp expects a string, the 3 will be converted to "3". But that shows there is some conversion that may happen in this case, since strcmp is a function, while === is part of the language.

    So my preference in that case goes to === (which is faster than == anyway).

提交回复
热议问题