Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16025 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58829 invoked by uid 1010); 18 Apr 2005 20:11:50 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 58814 invoked from network); 18 Apr 2005 20:11:50 -0000 Received: from unknown (HELO hristov.com) (127.0.0.1) by localhost with SMTP; 18 Apr 2005 20:11:50 -0000 X-Host-Fingerprint: 85.92.69.73 iko.gotobg.net Linux 2.4/2.6 Received: from ([85.92.69.73:40498] helo=iko.gotobg.net) by pb1.pair.com (ecelerity 1.2.12rc1 r(5476:5477)) with SMTP id 78/28-18700-58414624 for ; Mon, 18 Apr 2005 16:11:49 -0400 Received: from p54a0c1d5.dip.t-dialin.net ([84.160.193.213] helo=[192.168.0.41]) by iko.gotobg.net with esmtpa (Exim 4.43) id 1DNcaz-0008QM-Qw; Mon, 18 Apr 2005 23:11:50 +0300 Message-ID: <42641478.4020300@hristov.com> Date: Mon, 18 Apr 2005 22:11:36 +0200 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050219 MIME-Version: 1.0 To: garbageman@gauldong.net CC: internals@lists.php.net References: <3c4c8fa60504181146526b0a84@mail.gmail.com> <20050418185855.94161.qmail@lists.php.net> <3c4c8fa605041812285af6e888@mail.gmail.com> <013a01c5444f$fc5f0d00$5c8be5a9@ohr.berkeley.edu> <3c4c8fa605041813052e034f35@mail.gmail.com> In-Reply-To: <3c4c8fa605041813052e034f35@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - iko.gotobg.net X-AntiAbuse: Original Domain - lists.php.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - hristov.com X-Source: X-Source-Args: X-Source-Dir: Subject: Re: [PHP-DEV] Re: == and === From: php@hristov.com (Andrey Hristov) Hi, don't forget that PHP was made for web programming and in this world you get from the user the input only as string therefore (nothing, false) >> Quite ok I will say. Nobody can enter '0' and pass through the check. 1 >> You don't cast the passwords, don't you? One more thing, consider creating a hash of the password and don't store the password in clear text. When the password is hashed, it is a string and you can compare it without any problems. Either you can use sha1()/md5() of PHP or let the RDBMS do the job if it provides MD5/SHA1 as functions. This way you are even not vulnerable to SQL injection coming from the password, but injection may come from the user name (you can hash it too ;) Regards, Andrey Hendy Irawan wrote: > On 4/19/05, Sara Golemon wrote: > >>> >>>1 >>> >>> >>>(nothing, false) >>> >>> >>>1 >>> >>>That confuses me more (but understandable, and thank God PHP behave >>>this way)... I thought 'asdasd' is 0 when [implicitly] converted to >>>int [for comparison]? I guess I never knew PHP well :-( >>> >> >>That would be the 'Roughly Speaking' and 'not precisely how the engine >>handles it internally' parts. >> >>In the case of string to string comparison there must be at least one digit >>involved at the start of the string (or a plus/minus sign followed by >>digits, etc...) in order to qualify as a numeric string. > > I don't see this is the case: > > > (false) > > > (false) > > Isn't '0asdkoasdk' a numeric string? > > However: > > > 1 > > (this is expected, although for the $password case, it can lead to > security holes). > More niceties: > > > 1 > > > 1 > > > (false) > > Programming in PHP can be a lot of fun! ;-) >