Force PHP to run all if conditions

283 Views Asked by AnnoyinC At 20 October 2024 at 12:52

I am building an application that is sensitive to timing attacks. I was thinking of instead of making an "if tree" where you nest if statement, just run all of the if statements, and then check all of the conditions at the end, like so:


    if (password_verify($pass, $hash)){
        $cond1 = true
    }else{
        $cond1 = false
    }
        // some more ifs that run in serial
    if ($cond1 && $cond2 && cond3 ... etc){
        // some code
    }

But I believe that the final if statement will still be vulnerable because PHP cuts if statement evaluation short if there is some condition that would fail the entire statement. How can I work around this?

Original Q&A

There are 1 best solutions below

AnnoyinC On 25 August 2019 at 11:23

Edit: this approach does not work because string comparison is also cut short once one char is off.

I figured it out. Instead of assigning boolean values to the condition variables, I assign a character "0" or "1". I then at the end concatenate all the conditions and check if that string is "11111111".

if (password_verify($pass, $hash)){
    $cond1 = "1";
}else{
    $cond1 = "0";
}
// some more ifs that run in serial
$allcond = $cond1.$cond2.$cond3; //etc
if ($allcond = "11111"){
    // some code
}

Force PHP to run all if conditions

There are 1 best solutions below

Related Questions in PHP

Related Questions in IF-STATEMENT

Related Questions in TIMING-ATTACK

Trending Questions

Popular # Hahtags

Popular Questions