Hi, don't forget that PHP was made for web programming and in this world you get from the user the input only as string therefore
<?php echo '0' == 'asadoaskd' ?> (nothing, false)
>> Quite ok I will say. Nobody can enter '0' and pass through the check.
<?php echo '0' == (int)'adasd' ?> 1
>> You don't cast the passwords, don't you?
One more thing, consider creating a hash of the password and don't store the password in clear text. When the password is hashed, it is a string and you can compare it without any problems. Either you can use sha1()/md5() of PHP or let the RDBMS do the job if it provides MD5/SHA1 as functions. This way you are even not vulnerable to SQL injection coming from the password, but injection may come from the user name (you can hash it too ;)
Regards, Andrey
Hendy Irawan wrote:
On 4/19/05, Sara Golemon <[EMAIL PROTECTED]> wrote:
<?php echo '0' == '0.0000e0' ?> 1
<?php echo '0' == 'asadoaskd' ?> (nothing, false)
<?php echo '0' == (int)'adasd' ?> 1
That confuses me more (but understandable, and thank God PHP behave this way)... I thought 'asdasd' is 0 when [implicitly] converted to int [for comparison]? I guess I never knew PHP well :-(
That would be the 'Roughly Speaking' and 'not precisely how the engine handles it internally' parts.
In the case of string to string comparison there must be at least one digit involved at the start of the string (or a plus/minus sign followed by digits, etc...) in order to qualify as a numeric string.
I don't see this is the case:
<?php echo '0' == '0asodkaowueoq' ?> (false)
<?php echo '0' == '0 asdkasod' ?> (false)
Isn't '0asdkoasdk' a numeric string?
However:
<?php echo 0 == 'asodkasodk' ?> 1
(this is expected, although for the $password case, it can lead to security holes). More niceties:
<?php echo null == 0 ?> 1
<?php echo null == '' ?> 1
<?php echo null == '0' ?> (false)
Programming in PHP can be a lot of fun! ;-)
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
