mirror of
https://github.com/fofolee/uTools-Manuals.git
synced 2025-06-18 13:57:03 +08:00
124 lines
5.8 KiB
HTML
124 lines
5.8 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||
<title>可防止时序攻击的字符串比较</title>
|
||
</head>
|
||
<body class="docs"><div id="layout">
|
||
<div id="layout-content"><div id="function.hash-equals" class="refentry">
|
||
<div class="refnamediv">
|
||
<h1 class="refname">hash_equals</h1>
|
||
<p class="verinfo">(PHP 5 >= 5.6.0, PHP 7)</p><p class="refpurpose"><span class="refname">hash_equals</span> — <span class="dc-title">可防止时序攻击的字符串比较</span></p>
|
||
|
||
</div>
|
||
|
||
<div class="refsect1 description" id="refsect1-function.hash-equals-description">
|
||
<h3 class="title">说明</h3>
|
||
<div class="methodsynopsis dc-description">
|
||
<span class="methodname"><strong>hash_equals</strong></span>
|
||
( <span class="methodparam"><span class="type">string</span> <code class="parameter">$known_string</code></span>
|
||
, <span class="methodparam"><span class="type">string</span> <code class="parameter">$user_string</code></span>
|
||
) : <span class="type">bool</span></div>
|
||
|
||
<p class="para rdfs-comment">
|
||
比较两个字符串,无论它们是否相等,本函数的时间消耗是恒定的。
|
||
</p>
|
||
<p class="para">
|
||
本函数可以用在需要防止时序攻击的字符串比较场景中,
|
||
例如,可以用在比较 <span class="function"><a href="crypt.html" class="function">crypt()</a></span> 密码哈希值的场景。
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 parameters" id="refsect1-function.hash-equals-parameters">
|
||
<h3 class="title">参数</h3>
|
||
<dl>
|
||
|
||
|
||
<dt>
|
||
<code class="parameter">known_string</code></dt>
|
||
|
||
<dd>
|
||
|
||
<p class="para">
|
||
已知长度的、要参与比较的 <span class="type"><a href="language.types.string.html" class="type string">string</a></span>
|
||
</p>
|
||
</dd>
|
||
|
||
|
||
|
||
<dt>
|
||
<code class="parameter">user_string</code></dt>
|
||
|
||
<dd>
|
||
|
||
<p class="para">
|
||
用户提供的字符串
|
||
</p>
|
||
</dd>
|
||
|
||
|
||
</dl>
|
||
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 returnvalues" id="refsect1-function.hash-equals-returnvalues">
|
||
<h3 class="title">返回值</h3>
|
||
<p class="para">
|
||
当两个字符串相等时返回 <strong><code>TRUE</code></strong>,否则返回 <strong><code>FALSE</code></strong>。
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 errors" id="refsect1-function.hash-equals-errors">
|
||
<h3 class="title">错误/异常</h3>
|
||
<p class="para">
|
||
如果所提供的 2 个参数中任何一个不是字符串,
|
||
会导致 <strong><code>E_WARNING</code></strong> 消息。
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 examples" id="refsect1-function.hash-equals-examples">
|
||
<h3 class="title">范例</h3>
|
||
<p class="para">
|
||
<div class="example" id="example-890">
|
||
<p><strong>Example #1 <span class="function"><strong>hash_equals()</strong></span> 例程</strong></p>
|
||
<div class="example-contents">
|
||
<div class="phpcode"><pre><span style="color: #000000">
|
||
<span style="color: #0000BB"><?php<br />$expected </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'12345'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$correct </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'12345'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$incorrect </span><span style="color: #007700">= </span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #DD0000">'apple'</span><span style="color: #007700">, </span><span style="color: #DD0000">'$2a$07$usesomesillystringforsalt$'</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">hash_equals</span><span style="color: #007700">(</span><span style="color: #0000BB">$expected</span><span style="color: #007700">, </span><span style="color: #0000BB">$correct</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">var_dump</span><span style="color: #007700">(</span><span style="color: #0000BB">hash_equals</span><span style="color: #007700">(</span><span style="color: #0000BB">$expected</span><span style="color: #007700">, </span><span style="color: #0000BB">$incorrect</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span>
|
||
</span>
|
||
</pre></div>
|
||
</div>
|
||
|
||
<div class="example-contents"><p>以上例程会输出:</p></div>
|
||
<div class="example-contents screen">
|
||
<div class="cdata"><pre>
|
||
bool(true)
|
||
bool(false)
|
||
</pre></div>
|
||
</div>
|
||
</div>
|
||
</p>
|
||
</div>
|
||
|
||
|
||
<div class="refsect1 notes" id="refsect1-function.hash-equals-notes">
|
||
<h3 class="title">注释</h3>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<p class="para">
|
||
要想成功进行比较,那么所提供的 2 个参数必须是相同长度的字符串。
|
||
如果所提供的字符串长度不同,那么本函数会立即返回 <strong><code>FALSE</code></strong>,
|
||
在时序攻击的场景下,已知字符串的长度可能会被泄露。
|
||
</p>
|
||
</p></blockquote>
|
||
<blockquote class="note"><p><strong class="note">Note</strong>:
|
||
<p class="para">
|
||
非常重要的一点是,用户提供的字符串必须是第二个参数。
|
||
</p>
|
||
</p></blockquote>
|
||
</div>
|
||
|
||
|
||
</div></div></div></body></html> |