Easy - you see == everywhere and === is used rarely, in docs you see it in some places like strpos(). This is one thing that has to be communicated through every channel available (including docs) with clear examples that show why it should be used instead of ==. Take me for example, I never had any idea that comparing two hashes that start with numbers can generate a logical truth despite the hashes being different. I haven't seen anything related to this in docs and never stumbled upon in the internet, ever. So I use == for comparing strings all the time. Now I will change that because I have the knowledge why I should use === instead of ==. Well, now I do know, from this mailing list (witch is for PHP development) - not many user-land developers read this list.
And in my previous message I said essentially the same as you did, just in different words and style. English is not my native language and I have been learning the British variant of it, so it's more formal that American English :) 2012/5/7 Kris Craig <kris.cr...@gmail.com> > > > On Mon, May 7, 2012 at 12:28 AM, Arvids Godjuks > <arvids.godj...@gmail.com>wrote: > >> Hello internals, >> >> I should voice my opinion that such things like comparing two strings >> starting with numbers and that they resolve to actual integer/float for >> comparation is bad, really bad. That just defies the logic and yealds >> absolutly unexpected results. I pride myself that i know the juggling >> rules >> well, but I'm shocked by this to say the least... >> In my opinion this should change no matter the BC breaks it will create, >> this one affects security big time. It's good I actually hash my passwrds >> in the MySQL and not on the PHP side, but I have seen hash comparations >> with == all the time. And now that this has been discussed in detail I >> expect this to be used as an attack method grow wide. >> 07.05.2012 5:32 пользователь "Tjerk Anne Meesters" <datib...@php.net> >> написал: > > > Forgive me if I'm missing something, but why are people using == for > security-sensitive string comparisons (like hashed passwords) in the first > place?! If you needs something that's safe, isn't that what strcmp() and > strcasecmp() are for? For my part, I pretty much never use == on string > comparison, though admittedly that's probably just a matter of having > having come from a C background before PHP. > > That being said, I agree that this *definitely* should be fixed if the > examples cited are indeed accurate (I've been working with PHP for over 10 > years and I was never aware of this bizarre behavior, either). I don't > know the history of this, but I at least would consider it to be a bug. A > rather large one, in fact; though I think some of the fears expressed are a > bit hyperbolic. And if you're fixing a serious bug or security > vulnerability, as a general rule of thumb, this automatically supercedes > any concerns regarding BC breakage IMHO. But if that really is a lingering > concern, I'd suggest targetting the fix for PHP 6, since people would (or > at least should) expect that some PHP 5 code may behave differently in PHP > 6 anyway given that it's a major release > > --Kris > >
