Design your API to Prevent It From Failing Open

Compare Strings in Constant-Time

Use Strong Randomness

try {
    $data = random_bytes(32);
} catch (Error $ex) {
    // You made a mistake.
} catch (Exception $ex) {
    // Cannot access the OS's CSPRNG. Handle this however you deem appropriate.
}

Ensure String Offsets are Bytes, not Characters

<?php
/**
 * @param string $knownString
 * @param string $userString
 * @return bool
 */
function unsafe_hash_equals($knownString, $userString)
{
    $kLen = strlen($knownString);
    $uLen = strlen($userString);
    if ($kLen !== $uLen) {
        return false;
    }
    $result = 0;
    for ($i = 0; $i < $kLen; $i++) {
        $result |= (ord($knownString[$i]) ^ ord($userString[$i]));
    }
    // They are only identical strings if $result is exactly 0...
    return 0 === $result;
}
// 8 chars but 32 bytes
$hashA = "\xF0\x9D\x92\xB3" . "\xF0\x9D\xA5\xB3" .
         "\xF0\x9D\x92\xB3" . "\xF0\x9D\xA5\xB3" .
         "\xF0\x9D\x92\xB3" . "\xF0\x9D\xA5\xB3" .
         "\xF0\x9D\x92\xB3" . "\xF0\x9D\xA5\xB3";

$hashB = "\xF0\x9D\x92\xB3" . "\xF0\x9D\xA5\xB3" .
         "\xF0\xAD\x9F\xC0" . "\xF0\xAD\x9F\xC0" .
         "\xF0\xAD\x9F\xC0" . "\xF0\xAD\x9F\xC0" .
         "\xF0\xAD\x9F\xC0" . "\xF0\xAD\x9F\xC0";

var_dump(unsafe_hash_equals($hashA, $hashB));

-         $kLen = strlen($knownString);
-         $uLen = strlen($userString);
+         $kLen = mb_strlen($knownString, '8bit');
+         $uLen = mb_strlen($userString, '8bit');

Safely Convert Integers to Characters Without Table Lookups

if (CG(one_char_string)[c]) {
    ZVAL_INTERNED_STR(return_value, CG(one_char_string)[c]);
}

Using Constant-Time Encoding Routines

Ensure Multiplication is Constant-Time

/**
 * Multiply two integers in constant-time
 *
 * @param int $a
 * @param int $b
 * @return int
 */
public static function mul($a, $b)
{
    # Important detail: If you know your platform is secure, you can opt
    # out of our implementation in favor of just multiplying integers the
    # old fashioned way by setting a static variable to true at run-time.
    #
    # It defaults to FALSE and we advise no one set it to TRUE unless you
    # have irrefutable proof that this is safe for your operating environment.
    if (ParagonIE_Sodium_Compat::$fastMult) {
        return (int) ($a * $b);
    }

    # Optimization: Cache this value after the first run
    static $size = null;
    if (!$size) {
        # On 64-bit platforms, this will be 63.
        # On 32-bit platforms, this will be 31.
        $size = (PHP_INT_SIZE << 3) - 1;
    }

    $c = 0;
    #
    # Equivalent to: $mask = ($b < 0) ? -1 : 0;
    #
    # -1 in binary is all 1 bits; 0 in binary is all 0 bits.
    $mask = -(($b >> $size) & 1);
    #
    # We're stripping off the negative sign so we can safely
    # use bitshift operations and eventually get 0.
    $b = ($b & ~$mask) | ($mask & -$b);
    #
    # This is the actual multiplication loop.
    # It always runs ($size + 1) times, and consists of 
    # addition and bitwise operators.
    for ($i = $size; $i >= 0; --$i) {
        # Equivalent to: if ($b & 1) $c += $a;
        $c += (int) ($a & -($b & 1));
        # Double $a
        $a <<= 1;
        # Halve $b
        $b >>= 1;
    }
    # Equivalent to: if ($mask < 0) { $c *= -1; }
    #
    # This just reintroduces the negative sign again if $b had
    # a negative value.
    $c = ($c & ~$mask) | ($mask & -$c);
    return (int) $c;
}