@@ -5,21 +5,24 @@ The Symfony Security component comes with a collection of nice utilities
55related to security. These utilities are used by Symfony, but you should
66also use them if you want to solve the problem they address.
77
8+ .. note ::
9+
10+ All functions described in this article were introduced in PHP 7. For older
11+ PHP versions, a polyfill is provided by the `Symfony Polyfill Component `_.
12+
813Comparing Strings
914~~~~~~~~~~~~~~~~~
1015
1116The time it takes to compare two strings depends on their differences. This
1217can be used by an attacker when the two strings represent a password for
1318instance; it is known as a `Timing attack `_.
1419
15- Internally, when comparing two passwords, Symfony uses a constant-time
16- algorithm; you can use the same strategy in your own code thanks to the
17- :class: `Symfony\\ Component\\ Security\\ Core\\ Util\\ StringUtils ` class::
18-
19- use Symfony\Component\Security\Core\Util\StringUtils;
20+ When comparing two passwords, you should use the :phpfunction: `hash_equals `
21+ function::
2022
21- // is some known string (e.g. password) equal to some user input?
22- $bool = StringUtils::equals($knownString, $userInput);
23+ if (hash_equals($knownString, $userInput)) {
24+ // ...
25+ }
2326
2427Generating a Secure Random String
2528~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -49,12 +52,5 @@ use the :phpfunction:`random_int` function::
4952
5053 $random = random_int(1, 10);
5154
52- .. note ::
53-
54- PHP 7 and up provide the ``random_bytes() `` and ``random_int() `` functions
55- natively, for older versions of PHP a polyfill is provided by the
56- `Symfony Polyfill Component `_ and the `paragonie/random_compat package `_.
57-
5855.. _`Timing attack` : https://en.wikipedia.org/wiki/Timing_attack
5956.. _`Symfony Polyfill Component` : https://github.com/symfony/polyfill
60- .. _`paragonie/random_compat package` : https://github.com/paragonie/random_compat
0 commit comments