Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Samantha Quinones:
Juggle Chainsaws, Not Types
Nov 22, 2013 @ 15:25:33

Samantha Quinones has a new post today about something that has been known to trip up both new and experienced PHP developers - PHP's dynamic type juggling.

No matter how popular an activity it is, I really don’t like to bash on PHP. Every language has its flaws when you look closely enough, and if PHP wears its idiosyncrasies a little closer to the surface than most, I think it makes up for it in other ways. PHP’s handling of types, however, is confusing at best and at worst completely deranged.

She goes on to talk about the issues with type comparisons and how much trouble using the "==" (double equals) versus the "===" (triple equals) can potentially cause. While it's easier for new PHP developers to get caught by this issue, even experienced devs might miss it. She gives an example of a time in her own development involving the comparison of strings against constants and in_array's non-string type comparisons.

tagged: type juggling strict loose comparison inarray

Link: http://www.tembies.com/2013/11/juggle-chainsaws/

Joseph Scott's Blog:
Why PHP Strings Equal Zero
Mar 15, 2012 @ 14:47:49

Joseph Scott has a new post to his blog looking at "why PHP strings equal zero" - that when you use the "==" operator on a string to compare to zero, it's true.

The issue of PHP strings equaling zero has come up a few times recently. [...] Running that will display Equals zero!, which at first glance probably doesn’t make much sense. So what is going on here?

He gets into the specifics of what's happening - a bit of type jugging, less strict comparison since it's the "==" versus "===" and how the PHP manual talks about strings being converted to numbers.

While I still think it is odd that the string gets cast as an integer instead of the other way around, I don’t think this is a big deal. I can’t recall a single time where I’ve ever run into this issue in a PHP app. I’ve only seen it come up in contrived examples like the ones above.
tagged: string equal zero type juggling conversion

Link:

Brandon Savage's Blog:
An XSS Vulerability In The Making
Mar 07, 2012 @ 18:02:46

Brandon Savage has a new post to his blog about what he calls a XSS vulnerability in the making, something to watch out for when you're doing validation in PHP involving the possibility of numbers as strings.

Back in September, Socorro received a security bug relating to the method we were using for processing inputs for the duration of certain reports. The vulnerability included a proof of concept, with an alert box popping up on production when the link was followed. [...] I was quite surprised at the root cause of the vulnerability. We had opted to compare the incoming data against a known set of valid values – a common practice when whitelisting certain inputs. [...] As expected, when this [example] code is tested, a string of '3' and an integer of 3 work equally well, and a string of '5' and an integer of 5 fail equally.

This automatic casting that PHP does internally caused another issue as well - if the string passed in even started with a valid number from their whitelist set, it still passed.

At first we thought this surely had to be a bug in PHP. However, Laura Thomson told me "If comparing two values, type juggling is performed first, which means that the string is converted to a number. This is done by taking the first number found in the string. So this may be confusing/a quirk/a gotcha, but it isn’t a bug." And she's right: this isn't a bug per se, but it's certainly an interesting "gotcha."
tagged: crosssitescripting xss type juggling string conversion internal

Link:


Trending Topics: