Comparing Strings

The time it takes to compare two strings depends on their differences. This can be used by an attacker when the two strings represent a password for instance; it is known as a Timing attack.

Internally, when comparing two passwords, Symfony uses a constant-time algorithm; you can use the same strategy in your own code thanks to the StringUtils class:

1
2
3
4

use Symfony\Component\Security\Core\Util\StringUtils;

// is some known string (e.g. password) equal to some user input?
$bool = StringUtils::equals($knownString, $userInput);

Generating a Secure random Number

Whenever you need to generate a secure random number, you are highly encouraged to use the Symfony SecureRandom class:

1
2
3
4

use Symfony\Component\Security\Core\Util\SecureRandom;

$generator = new SecureRandom();
$random = $generator->nextBytes(10);

The nextBytes() method returns a random string composed of the number of characters passed as an argument (10 in the above example).

The SecureRandom class works better when OpenSSL is installed. But when it's not available, it falls back to an internal algorithm, which needs a seed file to work correctly. Just pass a file name to enable it:

1
2
3
4
5
6

use Symfony\Component\Security\Core\Util\SecureRandom;

$generator = new SecureRandom('/some/path/to/store/the/seed.txt');

$random = $generator->nextBytes(10);
$hashedRandom = md5($random); // see tip below