Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:60499 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47099 invoked from network); 7 May 2012 03:32:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2012 03:32:34 -0000 Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.160.173 mail-gh0-f173.google.com Received: from [209.85.160.173] ([209.85.160.173:49028] helo=mail-gy0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/71-33304-15247AF4 for ; Sun, 06 May 2012 23:32:34 -0400 Received: by ghrr14 with SMTP id r14so5083219ghr.18 for ; Sun, 06 May 2012 20:32:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JKtoOw9015k/FQf7XuLuySMD52oqM+bQ6TexYyGIQ/A=; b=RiOQjchsSVjGWSxtHSeU1ijkAevArnd1q0TJpZJhUxjqiF7MJ9m7o8nOBa5Xg0TqD6 Og7eBHhY+0p7M9a8DmqFIFEdMqaXU6g4GwB5xp6BXdGubQS573tGBDT4Flb60Wlu3VRF RjmWgwIDpXk2SWhVBER4pC6OWLZ3/54CFCwgX/Zgmh2CYh0KBiKiC7gWaclm/ub95UbM uNCdnl9oTXwcc788VP4mAmkc3okbNDUz8I+RqmXORPWdgqq+eznPi1yjLbjT/tw4tfBe 4QTFTHPdoHByg5nCrByLV5dcTNisAiwqVK5Qhjg7c1aH3rZUOafbOqCO/PKc+Mr3L477 68bg== MIME-Version: 1.0 Received: by 10.236.191.40 with SMTP id f28mr17251163yhn.115.1336361550978; Sun, 06 May 2012 20:32:30 -0700 (PDT) Sender: tjerk.meesters@gmail.com Received: by 10.147.55.41 with HTTP; Sun, 6 May 2012 20:32:30 -0700 (PDT) In-Reply-To: <733bc8ea59cf6737563a62886e92fcb6.squirrel@www.l-i-e.com> References: <4F847B8A.9010007@sugarcrm.com> <733bc8ea59cf6737563a62886e92fcb6.squirrel@www.l-i-e.com> Date: Mon, 7 May 2012 11:32:30 +0800 X-Google-Sender-Auth: OLBZp2HOYrFoUOYKefc5u70xD08 Message-ID: To: Richard Lynch Cc: PHP Internals Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design From: datibbaw@php.net (Tjerk Anne Meesters) On Sun, May 6, 2012 at 12:17 AM, Richard Lynch wrote: >> What exactly valid points? =3D=3D is a converting operator, =3D=3D=3D is= a >> strict >> operator. OK, in his favorite language it is not. Where exactly the >> valid point is? Author goes at great lengths to refuse to make even a >> slight mental effort to understand how it works (really, it's not that >> hard) and then complains it's "useless". Well, a lot of things would >> be >> useless if you don't want to know how to use them. > > He has a few valid points in the part I read before I got bored... > > $a =3D "123ABF453..."; //a password > $b =3D "123DFEABC..."; //another one > if ($a =3D=3D $b){ > =A0//you're in. > } > > Yes, one should have validated the input... > > But you don't have to be THAT naive to think that the hashed value of > an SQL injection attack just isn't going to work, so it's "safe"... > > I'll bet I have some of these in my (recent) code, for that matter. > > On the other hand, if you accept type juggling, you have to expect the > other cases he has for =3D=3D being a bit strange. Validated or not, why would type juggling even come into the picture if both variables are of the same type? 123 =3D=3D "123abc" // sure, why not "61529519452809720693702583126814" =3D=3D "61529519452809720000000000000000" // WAT?! In the above, only the first ~50% of an md5 hash has to be correct. This gets even worse for SHA256 hashes.