Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:60500
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <CAHMUw2Ft49f32di4nyOVWhzi-6Qn7u6yP4La2x_Wn2tZK-CHPA@mail.gmail.com>
References: <CAPmfwEnMypV6DFRnRsnCvj+KQk1JG54TX3r1DNHQO3QQ0f+hjA@mail.gmail.com>
	<CAEZPtU4B0HpVrD4nzN6Cm+ogpza=qeyyfA1qSoRiyFF-dh6iFQ@mail.gmail.com>
	<CAORXhGLkKPY=GpfESDqiCVUhG4vZG7PmqK-v7780fGmvnQyeNw@mail.gmail.com>
	<4F847B8A.9010007@sugarcrm.com>
	<733bc8ea59cf6737563a62886e92fcb6.squirrel@www.l-i-e.com>
	<CAHMUw2Ft49f32di4nyOVWhzi-6Qn7u6yP4La2x_Wn2tZK-CHPA@mail.gmail.com>
Date: Mon, 7 May 2012 10:28:46 +0300
Message-ID: <CAL0xaBFKZySc4y72GS45t3En9g-6_RCzacvR3uf-N4fcaxymEA@mail.gmail.com>
To: Tjerk Anne Meesters <datibbaw@php.net>
Cc: PHP Internals <internals@lists.php.net>, Richard Lynch <ceo@l-i-e.com>
Content-Type: multipart/alternative; boundary=90e6ba613862711d6704bf6d383f
Subject: Re: [PHP-DEV] [off] PHP: a fractal of bad design
From: arvids.godjuks@gmail.com (Arvids Godjuks)

--90e6ba613862711d6704bf6d383f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello internals,

I should voice my opinion that such things like comparing two strings
starting with numbers and that they resolve to actual integer/float for
comparation is bad, really bad. That just defies the logic and yealds
absolutly unexpected results. I pride myself that i know the juggling rules
well, but I'm shocked by this to say the least...
In my opinion this should change no matter the BC breaks it will create,
this one affects security big time. It's good I actually hash my passwords
in the MySQL and not on the PHP side, but I have seen hash comparations
with =3D=3D all the time. And now that this has been discussed in detail I
expect this to be used as an attack method grow wide.
07.05.2012 5:32 =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=
=B5=D0=BB=D1=8C "Tjerk Anne Meesters" <datibbaw@php.net>
=D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB:

> On Sun, May 6, 2012 at 12:17 AM, Richard Lynch <ceo@l-i-e.com> wrote:
> >> What exactly valid points? =3D=3D is a converting operator, =3D=3D=3D =
is a
> >> strict
> >> operator. OK, in his favorite language it is not. Where exactly the
> >> valid point is? Author goes at great lengths to refuse to make even a
> >> slight mental effort to understand how it works (really, it's not that
> >> hard) and then complains it's "useless". Well, a lot of things would
> >> be
> >> useless if you don't want to know how to use them.
> >
> > He has a few valid points in the part I read before I got bored...
> >
> > $a =3D "123ABF453..."; //a password
> > $b =3D "123DFEABC..."; //another one
> > if ($a =3D=3D $b){
> >  //you're in.
> > }
> >
> > Yes, one should have validated the input...
> >
> > But you don't have to be THAT naive to think that the hashed value of
> > an SQL injection attack just isn't going to work, so it's "safe"...
> >
> > I'll bet I have some of these in my (recent) code, for that matter.
> >
> > On the other hand, if you accept type juggling, you have to expect the
> > other cases he has for =3D=3D being a bit strange.
>
> Validated or not, why would type juggling even come into the picture
> if both variables are of the same type?
>
> 123 =3D=3D "123abc" // sure, why not
> "61529519452809720693702583126814" =3D=3D
> "61529519452809720000000000000000" // WAT?!
>
> In the above, only the first ~50% of an md5 hash has to be correct.
> This gets even worse for SHA256 hashes.
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--90e6ba613862711d6704bf6d383f--