strcmp vs. == vs. === in PHP for checking hash equality

Question

I\'m using crypt() to hash passwords in PHP, and am trying to work out the safest way of testing equality of the resulting hash when performing password checks.

Answer 1

When it comes to security I prefer to use the === operator. === ensures the two operands are exactly the same, without trying to accomodate some casting in order to "help" the comparison to reach a successful match - as it may help while developing thanks to a loose-typed language, like PHP.

Of course, one of the operand is to be trusted. A hash from the database is trustable, while the user input is not.

One can always dither for a while, coming to the conclusion there is no risk using == in a specific case. Maybe. But for instance

  "0afd9f7b678fdefca" == 0 is true
  "aafd9f7b678fdefca" == 0 is also true

as PHP tries to convert the "hash" into a number (probably using atoi) which gives 0. While it is unlikely crypt returns 0, I'd prefer to maximize the cases where the passwords don't match (and answer a support call) by using ===, than allowing a rare case that I didn't think about by using ==.

As for strcmp, the function returns <0 or >0 if different, and 0 if equal. But

  strcmp("3", 0003) returns 0
  strcmp("0003", 0003) returns -3

which are not surprising after all. A literal 0003 is actually an integer, 3 and since strcmp expects a string, the 3 will be converted to "3". But that shows there is some conversion that may happen in this case, since strcmp is a function, while === is part of the language.

So my preference in that case goes to === (which is faster than == anyway).