在PHP中使用strcmp vs.== vs.===来检查哈希是否相等 [英] strcmp vs. == vs. === in PHP for checking hash equality
问题描述
我正在使用crypt()在PHP中对密码进行哈希处理,并且正在尝试找出执行密码检查时测试所得哈希值是否相等的最安全方法.
我可以看到三个选项:
选项1-双重等于
function checkPassword($hash, $password)
{
return crypt($password, $hash) == $hash;
}
选项2-三重相等
function checkPassword($hash, $password)
{
return crypt($password, $hash) === $hash;
}
选项3-strcmp()
function checkPassword($hash, $password)
{
return strcmp(crypt($password, $hash), $hash) === 0;
}
我的直觉告诉我,由于缺乏类型检查,选项1是一个坏主意,选项2或3可能更好.但是,如果在特定情况下===或strcmp将失败,我将无法解决.为此目的,哪一个最安全?
在安全性方面,我更喜欢使用===运算符. ===确保两个操作数完全相同,而无需尝试进行某种强制转换以帮助"比较以达到成功的匹配-由于使用像PHP这样的松散类型语言,在开发过程中可能会有所帮助./p>
当然,操作数之一是可信的.来自数据库的哈希是可信任的,而用户输入则不可信.
一个人总是可以抖动一阵子,得出的结论是在特定情况下使用==没有风险.可能是.但是例如
"0afd9f7b678fdefca" == 0 is true
"aafd9f7b678fdefca" == 0 is also true
因为PHP尝试将哈希"转换为一个数字(可能使用 atoi ),该数字为0.尽管crypt不太可能返回0,但我希望最大化以下情况:通过使用===密码不匹配(并且不回答支持电话),这比允许通过使用==我没有想到的罕见情况
对于strcmp,如果不同,该函数将返回<0或>0,如果相等,则返回0.但是
strcmp("3", 0003) returns 0
strcmp("0003", 0003) returns -3
这毕竟不足为奇.文字0003实际上是一个整数3,并且由于 strcmp 需要一个字符串,因此3将被转换为"3".但这表明在这种情况下可能会发生一些转换,因为 strcmp 是一个函数,而===是该语言的一部分.
因此,在这种情况下,我更喜欢===(无论如何,它都比==快).
I'm using crypt() to hash passwords in PHP, and am trying to work out the safest way of testing equality of the resulting hash when performing password checks.
There are three options that I can see:
Option 1 - Double Equals
function checkPassword($hash, $password)
{
return crypt($password, $hash) == $hash;
}
Option 2 - Triple Equals
function checkPassword($hash, $password)
{
return crypt($password, $hash) === $hash;
}
Option 3 - strcmp()
function checkPassword($hash, $password)
{
return strcmp(crypt($password, $hash), $hash) === 0;
}
My intuition tells me that option 1 is a bad idea, due to the lack of type checking, and that options 2 or 3 are likely to be better. However, I can't work out if there's a specific case that === or strcmp would fail under. Which is safest for this purpose?
When it comes to security I prefer to use the === operator. === ensures the two operands are exactly the same, without trying to accomodate some casting in order to "help" the comparison to reach a successful match - as it may help while developing thanks to a loose-typed language, like PHP.
Of course, one of the operand is to be trusted. A hash from the database is trustable, while the user input is not.
One can always dither for a while, coming to the conclusion there is no risk using == in a specific case. Maybe. But for instance
"0afd9f7b678fdefca" == 0 is true
"aafd9f7b678fdefca" == 0 is also true
as PHP tries to convert the "hash" into a number (probably using atoi) which gives 0. While it is unlikely crypt returns 0, I'd prefer to maximize the cases where the passwords don't match (and answer a support call) by using ===, than allowing a rare case that I didn't think about by using ==.
As for strcmp, the function returns <0 or >0 if different, and 0 if equal. But
strcmp("3", 0003) returns 0
strcmp("0003", 0003) returns -3
which are not surprising after all. A literal 0003 is actually an integer, 3 and since strcmp expects a string, the 3 will be converted to "3". But that shows there is some conversion that may happen in this case, since strcmp is a function, while === is part of the language.
So my preference in that case goes to === (which is faster than == anyway).
这篇关于在PHP中使用strcmp vs.== vs.===来检查哈希是否相等的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
