PHP implicitely coercing password hashes to floats in comparisons is always a fun one

http://phpsadness.com/sad/47

If you write shitty code like that, you deserve what you get.

Fortunately I never encountered this situation and use strict comparison/typehints wherever possible. However I did not know that PHP always interpreted a number in string as a number.
Would have figured non matching types to do coercion but not matching.

I can imagine people screwing that up, can't say it's there dumb fault though.

@lamka02sk Ah yes, `if(pass_hash == db_pass_hash) { ... }`, the shittiest code possible

Fixed in PHP 5.4.4...

I'm worried?

And yes, in 5.3 (!!!) the simplest workaround would be a string cast + ===

Or strcmp === 0.

There's a reason why many were more than happy that PHP 7 and typing came.

@12bitfloat It absolutely is.

If you bother to actually learn PHP properly, you know there is nearly no reason to ever use ==. It's simply dangerous.

@PrivateGER Fair enough, but you gotta admit this is pretty horrible language design

@12bitfloat Weak types are a horrible design.

@PrivateGER Exactly

@PrivateGER Now let's put it in a switch do we can check it against multiple auth systems. Whoops switches are loose comparison's too.

@hjk101 Why the fuck would you do that in the first place? How would that design even look?

@PrivateGER I wouldn't in real life as it should be salted and perhaps different algorithms. Should be a plugin system (or strategy pattern whatever).Was just using it to point out that it's not just == that does type coercion, switches do too.