To successfully mitigate timing attacks and not leak the actual length of the known
string, it is important that _both provided strings have the same length_ and that
the _user-supplied string is passed as a second parameter_ rather than first.
This function has the same signature and behavior as the native hash_equals() function
and will use that function if available (PHP >= 5.6).
An E_USER_WARNING will be emitted when either of the supplied parameters is not a string.