Compare two strings in constant time to avoid timing-attack leaks when checking secrets like API keys, session tokens, or HMAC signatures. Always use hash_equals — never ===.
PHP
<?php
function safeCompare(string $expected, string $actual): bool {
// hash_equals: O(strlen($expected)) regardless of where the strings differ.
return hash_equals($expected, $actual);
}
// Don't do this (timing leak):
// if ($_GET['api_key'] === $secret) { ... } ❌
// Do this:
if (safeCompare($secret, $_GET['api_key'] ?? '')) {
// authorized
} else {
http_response_code(401);
exit('Unauthorized');
}Save your own code snippets
Create a free account and build your private vault. Share publicly whenever you want.