$password_fields = create_password($password, $user['salt'], $user);
return my_hash_equals($user['password'], $password_fields['password']);
|
$password_fields = create_password($password, $user['salt'], $user);
return my_hash_equals($user['password'], $password_fields['password']);
|
}
}
/**
* Performs a timing attack safe string comparison.
*
* @param string $known_string The first string to be compared.
* @param string $user_string The second, user-supplied string to be compared.
* @return bool Result of the comparison.
*/
function my_hash_equals($known_string, $user_string)
{
if(version_compare(PHP_VERSION, '5.6.0', '>='))
{
return hash_equals($known_string, $user_string);
}
else
{
$known_string_length = my_strlen($known_string);
$user_string_length = my_strlen($user_string);
if($user_string_length != $known_string_length)
{
return false;
}
$result = 0;
for($i = 0; $i < $known_string_length; $i++)
{
$result |= ord($known_string[$i]) ^ ord($user_string[$i]);
}
return $result === 0;
| |