public static function compare($known, $user)
{
if (function_exists('hash_equals')) {
return hash_equals($known, $user);
}
if (!is_string($known) || !is_string($user)) {
trigger_error('Expected `$known` & `$user` parameters to be strings.', E_USER_WARNING);
return false;
}
if (($length = strlen($known)) !== strlen($user)) {
return false;
}
for ($i = 0, $result = 0; $i < $length; $i++) {
$result |= ord($known[$i]) ^ ord($user[$i]);
}
return $result === 0;
} /**
* Compares a password and its hashed value using PHP's `crypt()`. Rather than a simple string
* comparison, this method uses a constant-time algorithm to defend against timing attacks.
*
* @see lithium\security\Password::hash()
* @see lithium\security\Password::salt()
* @param string $password The user-supplied plaintext password to check.
* @param string $hash The known hashed password to compare it to.
* @return boolean Returns a boolean indicating whether the password is correct.
*/
public static function check($password, $hash)
{
return String::compare($hash, crypt($password, $hash));
}
