Prevent login warning on PHP 5.6+

[ghost]

Fix for ticket #1058

You might have to check my PR to make sure it's ok :P

[oldskool]

According to the documentation, both arguments of hash_equals() should be strings, so both should be typecast to avoid the error from moving to the second argument. In other words, change it to:

return hash_equals((string)$a, (string)$b);

[ghost]

The second is the user password which will always be a string, even if nothing is entered, so that isn't a problem.

[oldskool]

@Chris98 Well, it is currently. But it is an assumption to say it will always be that way. What if down the line we convert empty strings to null values somewhere? By typecasting the $b variable as well, you enforce it to be the proper type and avoid a similar bug to possibly appear in the future.

[ghost]

I don't really anticipate this changing anytime soon ;)

I'll leave this to the devs as to what they would like. Personally, I don't see any benefit from the additional cast.

[ghost]

I've updated the PR and it's now casting both of them.

[oldskool]

@Chris98 Thanks, merged. This way we ensure that the input is always what the function expects it to be, so it gives more consistency.

[franzliedke]

This has been merged into the wrong branch. ;)
master should be kept clean in case of urgent security releases needing to be made.

Before we merge any further PRs, I will clean up the branches.

[oldskool]

@franzliedke Oh snap, sorry! 😭

[franzliedke]

It's fine, though. If we're lucky, reverting is not necessary. ;)