@@ -5,21 +5,25 @@ The Symfony Security component comes with a collection of nice utilities
55related to security. These utilities are used by Symfony, but you should
66also use them if you want to solve the problem they address.
77
8+ .. note ::
9+
10+ The functions described in this article were introduced in PHP 5.6 or 7.
11+ For older PHP versions, a polyfill is provided by the
12+ `Symfony Polyfill Component `_.
13+
814Comparing Strings
915~~~~~~~~~~~~~~~~~
1016
1117The time it takes to compare two strings depends on their differences. This
1218can be used by an attacker when the two strings represent a password for
1319instance; it is known as a `Timing attack `_.
1420
15- Internally, when comparing two passwords, Symfony uses a constant-time
16- algorithm; you can use the same strategy in your own code thanks to the
17- :class: `Symfony\\ Component\\ Security\\ Core\\ Util\\ StringUtils ` class::
18-
19- use Symfony\Component\Security\Core\Util\StringUtils;
21+ When comparing two passwords, you should use the :phpfunction: `hash_equals `
22+ function::
2023
21- // is some known string (e.g. password) equal to some user input?
22- $bool = StringUtils::equals($knownString, $userInput);
24+ if (hash_equals($knownString, $userInput)) {
25+ // ...
26+ }
2327
2428Generating a Secure Random String
2529~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -49,12 +53,5 @@ use the :phpfunction:`random_int` function::
4953
5054 $random = random_int(1, 10);
5155
52- .. note ::
53-
54- PHP 7 and up provide the ``random_bytes() `` and ``random_int() `` functions
55- natively, for older versions of PHP a polyfill is provided by the
56- `Symfony Polyfill Component `_ and the `paragonie/random_compat package `_.
57-
5856.. _`Timing attack` : https://en.wikipedia.org/wiki/Timing_attack
5957.. _`Symfony Polyfill Component` : https://github.com/symfony/polyfill
60- .. _`paragonie/random_compat package` : https://github.com/paragonie/random_compat
0 commit comments