Features conditional constructs with strings in PHP
Habré often discusses which language is better for writing secure applications. It is often noted that PHP is designed in such a way that a novice developer will make mistakes that lead to security holes. In this habraposta, I want to talk about, in my opinion, the illogical behavior of comparison operations, if and switch statements when working with strings. These features are known to experienced developers, but decided to collect them in one place. I think the post will be useful to novice developers and those who work in PHP, having programming experience in other languages.
echo '"" is'. (''? 'true': 'false'). "\ n";
echo '"0" is'. ('0'? 'True': 'false'). "\ n";
echo '"-0" is'. ('-0'? 'True': 'false'). "\ n";
echo '"0.0" is'. ('0.0'? 'True': 'false'). "\ n";
echo '"00" is'. ('00'? 'True': 'false'). "\ n";
echo '"A" is'. ('A'? 'True': 'false'). "\ n"; We have: "" is false
"0" is false
"-0" is true
"0.0" is true
"00" is true
"A" is true
So true all non-empty strings, except the string "0". The logic of this behavior is not clear to me. In practice, with the if statement it is often checked whether the form field is filled in, for example: if (isset ($ _ GET ['income']) && $ _GET ['income']) {...} . To avoid possible misunderstanding, you should use the check in the form: if (isset ($ _ GET ['income']) && strlen ($ _ GET ['income'])) {...}
echo '"A" === 0 is'. ('A' === 0? 'True': 'false'). "\ n";
echo '"A" == 0.0 is'. ('A' == 0? 'True': 'false'). "\ n";
echo '"A" === 0.0 is'. ('A' === 0? 'True': 'false'). "\ n"; The result of the script: "A" == 0 is true
"A" === 0 is false
"A" == 0.0 is true
“A” === 0.0 is false If your function compares the string passed as an argument to a given string, you should first check that the string is passed as an argument, not a number. An example will be given below, when considering the switch statement.
function get_salary ($ name) {
switch ($ name) {
case 'John':
return 3400;
break;
case 'Mary':
return 4600;
break;
default:
return 0;
}
}
')
echo "John's salary is." get_salary ('John'). "\ n";
echo "Mary's salary is." get_salary ('Mary'). "\ n";
echo "Peter's salary is." get_salary ('Peter'). "\ n";
echo "0's salary is." get_salary (0). "\ n";
?> Script Result: John's salary is 3400
Mary's salary is 4600
Peter's salary is 0
0's salary is 3400In the example, it can be seen that the security of the function is compromised by passing a numeric value instead of a string value. To protect the function from unwanted use, you need to check the type of the input value. <? Php
function get_salary ($ name) {
if (! is_string ($ name)) return 0;
switch ($ name) {
case 'John':
return 3400;
break;
case 'Mary':
return 4600;
break;
default:
return 0;
}
}
echo "John's salary is." get_salary ('John'). "\ n";
echo "Mary's salary is." get_salary ('Mary'). "\ n";
echo "Peter's salary is." get_salary ('Peter'). "\ n";
echo "0's salary is." get_salary (0). "\ n";
?> Script Result: John's salary is 3400
Mary's salary is 4600
Peter's salary is 0
0's salary is 0So, some comparison operations behave counterintuitively. He who is warned is armed.
Crosspost Features conditional constructions with lines in PHP with webew.ru .
What is truth?
What lines are true? Consider an example:echo '"" is'. (''? 'true': 'false'). "\ n";
echo '"0" is'. ('0'? 'True': 'false'). "\ n";
echo '"-0" is'. ('-0'? 'True': 'false'). "\ n";
echo '"0.0" is'. ('0.0'? 'True': 'false'). "\ n";
echo '"00" is'. ('00'? 'True': 'false'). "\ n";
echo '"A" is'. ('A'? 'True': 'false'). "\ n"; We have: "" is false
"0" is false
"-0" is true
"0.0" is true
"00" is true
"A" is true
So true all non-empty strings, except the string "0". The logic of this behavior is not clear to me. In practice, with the if statement it is often checked whether the form field is filled in, for example: if (isset ($ _ GET ['income']) && $ _GET ['income']) {...} . To avoid possible misunderstanding, you should use the check in the form: if (isset ($ _ GET ['income']) && strlen ($ _ GET ['income'])) {...}
String comparison
In PHP, two comparison operators == and ===. The second operator compares the coincidence of types and values, the first performs a type conversion, and then performs the comparison. The peculiarity of the operator == is that when comparing the number and the string, the string is converted to a number. If the string is not a number, then it is converted to the numeric value 0. Consider an example: echo '"A" == 0 is'. ('A' == 0? 'True': 'false'). "\ n";echo '"A" === 0 is'. ('A' === 0? 'True': 'false'). "\ n";
echo '"A" == 0.0 is'. ('A' == 0? 'True': 'false'). "\ n";
echo '"A" === 0.0 is'. ('A' === 0? 'True': 'false'). "\ n"; The result of the script: "A" == 0 is true
"A" === 0 is false
"A" == 0.0 is true
“A” === 0.0 is false If your function compares the string passed as an argument to a given string, you should first check that the string is passed as an argument, not a number. An example will be given below, when considering the switch statement.
Switch statement
We expect the switch statement to compare the passed value with the given constants. A feature of the implementation of switch in php is that it makes a comparison using the == operator, that is, it does not make a type comparison. As an example, consider a fictional function that returns the salary of an employee, getting his name at the entrance: <? Phpfunction get_salary ($ name) {
switch ($ name) {
case 'John':
return 3400;
break;
case 'Mary':
return 4600;
break;
default:
return 0;
}
}
')
echo "John's salary is." get_salary ('John'). "\ n";
echo "Mary's salary is." get_salary ('Mary'). "\ n";
echo "Peter's salary is." get_salary ('Peter'). "\ n";
echo "0's salary is." get_salary (0). "\ n";
?> Script Result: John's salary is 3400
Mary's salary is 4600
Peter's salary is 0
0's salary is 3400In the example, it can be seen that the security of the function is compromised by passing a numeric value instead of a string value. To protect the function from unwanted use, you need to check the type of the input value. <? Php
function get_salary ($ name) {
if (! is_string ($ name)) return 0;
switch ($ name) {
case 'John':
return 3400;
break;
case 'Mary':
return 4600;
break;
default:
return 0;
}
}
echo "John's salary is." get_salary ('John'). "\ n";
echo "Mary's salary is." get_salary ('Mary'). "\ n";
echo "Peter's salary is." get_salary ('Peter'). "\ n";
echo "0's salary is." get_salary (0). "\ n";
?> Script Result: John's salary is 3400
Mary's salary is 4600
Peter's salary is 0
0's salary is 0So, some comparison operations behave counterintuitively. He who is warned is armed.
Crosspost Features conditional constructions with lines in PHP with webew.ru .
Source: https://habr.com/ru/post/26577/
All Articles