11
12bitfloat
322d

PHP implicitely coercing password hashes to floats in comparisons is always a fun one

http://phpsadness.com/sad/47

Comments
  • 1
    If you write shitty code like that, you deserve what you get.
  • 0
    Fortunately I never encountered this situation and use strict comparison/typehints wherever possible. However I did not know that PHP always interpreted a number in string as a number.
    Would have figured non matching types to do coercion but not matching.

    I can imagine people screwing that up, can't say it's there dumb fault though.
  • 1
    @lamka02sk Ah yes, `if(pass_hash == db_pass_hash) { ... }`, the shittiest code possible
  • 0
    Fixed in PHP 5.4.4...

    I'm worried?

    And yes, in 5.3 (!!!) the simplest workaround would be a string cast + ===

    Or strcmp === 0.

    There's a reason why many were more than happy that PHP 7 and typing came.
  • 0
    @12bitfloat It absolutely is.
  • 0
    If you bother to actually learn PHP properly, you know there is nearly no reason to ever use ==. It's simply dangerous.
  • 0
    @PrivateGER Fair enough, but you gotta admit this is pretty horrible language design
  • 2
    @12bitfloat Weak types are a horrible design.
  • 0
  • 0
    @PrivateGER Now let's put it in a switch do we can check it against multiple auth systems. Whoops switches are loose comparison's too.
  • 0
    @hjk101 Why the fuck would you do that in the first place? How would that design even look?
  • 0
    @PrivateGER I wouldn't in real life as it should be salted and perhaps different algorithms. Should be a plugin system (or strategy pattern whatever).Was just using it to point out that it's not just == that does type coercion, switches do too.
Add Comment