Wow, the level of crazy there is very high. Up until today I thought that PHP was fine, but nobody should ever use it for anything remotely real. You have changed my mind. We must kill PHP with fire.
PHP offers hash_equals() since 5.6 and password_hash()/password_verify() since 5.5 (and === in all versions) -- this is a problem that plagues poorly designed legacy code.
The problem is not PHP, the problem is ignorant developers who do not know [how] to use password_hash() and password_verify().
[Also, "Matasano". I feel like I'm pressing the summonthensa.com button but w/e.]
I'm going to have to disagree. Any programming language where string comparison works "normally" for everything except for certain magic string values is Wrong. Like, I see where they're going with it, but it's probably a source of undetected Heisenbugs on a significant proportion of PHP sites. Not just talking about password hashes and other security critical operations here, just good old bugs.
