English
English
Hash functions are a very common tool when performing data integrity verification or password verification. However, simply using hash comparisons (such as == or === ) does not prevent and effectively detect potential hash conflicts. To improve security, PHP provides two functions: hash_final and hash_equals , which help developers handle hash operations more securely.
This article will introduce the usage of these two functions and use a practical example to demonstrate how to use them to achieve hash collision detection.
hash_final is the last step when creating step-by-step hash calculations using hash_init and hash_update . It returns the final hash value.
Example:
<?php
$context = hash_init('sha256');
hash_update($context, 'hello');
$hash = hash_final($context);
echo $hash;
Here, we initialize a hash context of SHA-256 with hash_init , then use hash_update to add the data to be hash, and finally use hash_final to get the final hash result.
hash_equals is used to safely compare two hash values. Unlike using == directly, it can prevent timing attacks caused by string comparison exit early. Timing attack is an attack method that specifies sensitive information by measuring the time required for an operation.
Example:
<?php
$knownHash = hash('sha256', 'known_value');
$userInputHash = hash('sha256', $_POST['input']);
if (hash_equals($knownHash, $userInputHash)) {
echo 'Match successfully!';
} else {
echo 'Match failed。';
}
Here, even if the value entered by the user is only part of the correct value, hash_equals will be completely compared byte byte to avoid leaking the time difference during the comparison process.
Suppose we need to detect whether the data submitted by the user conflicts with the existing data on the hash (i.e. different data produces the same hash value). We can do this:
Use hash_init , hash_update , and hash_final to calculate the hash of existing data.
Calculate the hash of user data in the same way.
Use hash_equals to compare two hash values.
Sample code:
<?php
// Simulate existing data
$existingData = 'Original content';
$context1 = hash_init('sha256');
hash_update($context1, $existingData);
$existingHash = hash_final($context1);
// User-submitted data
$userData = $_POST['user_data'];
$context2 = hash_init('sha256');
hash_update($context2, $userData);
$userHash = hash_final($context2);
// Compare hash values
if (hash_equals($existingHash, $userHash)) {
echo 'Hash conflict detected!The data may be the same or produce the same hash value。';
} else {
echo '未Hash conflict detected。';
}
Notice:
While the same hash value detected may be because the data is the same, it may also theoretically be due to rare hash collisions. Therefore, this detection method is more suitable for defense or verification rather than relying entirely on hash to judge data consistency.
Using hash_final and hash_equals , we can not only safely calculate and compare hashes, but also prevent timing attacks and detect potential hash conflicts to some extent. In scenarios involving security, it is recommended to use these tools instead of simple string comparisons.
In practical applications, for example:
Verify the integrity of uploaded files
Verify password (use with password_hash and password_verify )
Detect the signature of the interface call
These functions can all be used to improve security.
If you want to know more, it is recommended to check out the official PHP documentation .
