public static method

Compares two hashes in constant time to prevent timing attacks.

To successfully mitigate timing attacks and not leak the actual length of the known hash, it is important that both provided hash strings have the same length and that the user-supplied hash string is passed as a second parameter rather than first.

An E_USER_WARNING will be emitted when either of the supplied parameters is not a string.


  • string $known

    The hash string of known length to compare against.

  • string $user

    The user-supplied hash string.



Returns a boolean indicating whether the two hash strings are equal.


	public static function compare($known, $user) {
		return hash_equals($known, $user);