SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 34 of 34
  1. #26
    Web Professional
    Join Date
    Oct 2008
    Location
    London
    Posts
    862
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pmw57 View Post
    $name was not a boolean, it was a number - which can be achieved without much difficulty when bad people want to break your code. Why do they want to break your code? You may have a pay wall, or sensitive data, or credit cards, or they may just be curious.
    Now you're talking about extreme cases where comparison operators won't help much. You should sanitize all user input. Do I really have to say that?

  2. #27
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by hash View Post
    pmw57

    Are you here to be argumentative? You left another thread claiming you had to go to bed 2.5 hours ago. Looks like you didn't make it?
    Oh no, it's nearly 1:30am!!

    No, I'm not looking to pick fights. I'm standing up for the === operator and aiming to show why == may not be as good a choice.

    Adieu.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  3. #28
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,053
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    pmw - Go learn Java if you hate PHP datatypes that much. Seriously..

  4. #29
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by hash View Post
    pmw57

    Are you here to be argumentative?
    How can anyone possibly consider that raising valid points regarding security is being argumentative? Those are the sorts of stupid errors that many people actually make in their code that leave secureity holes that can be easily exploited.

    $price == 4.99 and 4.99 === $price may look simiilar but one is way more secure than the other when you know that you are supposed to be processing numbers.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #30
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    How can anyone possibly consider that raising valid points regarding security is being argumentative? Those are the sorts of stupid errors that many people actually make in their code that leave secureity holes that can be easily exploited.

    $price == 4.99 and 4.99 === $price may look simiilar but one is way more secure than the other when you know that you are supposed to be processing numbers.
    Because it's not simply raising valid points, it's arguing that php sucks because of loose typing comparisons.

  6. #31
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    It's raising awareness that when using == there will be some security issues to be aware of.

    decowski began stating that when numbers are involved, strings are converted to a number, and that when booleans are involved, that numbers (and strings) are converted to booleans.

    A fuller list for when comparing with == is:

    • string == string - Simple comparison
    • null == string - Convert null to ""
    • null == anything else - Convert both to boolean
    • bool == anything - Convert to boolean
    • object == object - see http://www.php.net/manual/en/languag...comparison.php
    • string == resource - Convert resource to a number
    • string == number - Convert string to a number
    • array == array - Compare the number of items, and only compare values when keys are the same
    • array == anything else - Array is always greater
    • object == anything else - Object is always greater
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  7. #32
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Now that's a good post, perhaps you should have posted that earlier instead of arguing that weak type comparison is a flaw in php

  8. #33
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by hash View Post
    instead of arguing that weak type comparison is a flaw in php
    There is no post in this thread that even remotely suggests that weak type comparison is a flaw in PHP. If you think something that someone said suggests that then you have obviously misread what they said.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  9. #34
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Now that's a good post, perhaps you should have posted that earlier[/quote]

    It wasn't until I went and investigated due to the earlier discussion, that I was able to put together that post. Thanks.

    Quote Originally Posted by hash View Post
    instead of arguing that weak type comparison is a flaw in php
    I haven't been arguing that it's a flaw, but rather that due to the wide range of values that it can compare, and the ways that the varied matches can be used in sometimes unexpected ways, that these are something that it pays to keep an eye on.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •