3

I am checking the validation of the request with an if query,

if ($request_userid == $userid) {
...
}

Thats working as expected. But further testing has shown, that if $request_userid or $userid is 0 or "", then the condition is true and the script runs the if query but it shouldn't.

I am currently solving it with:

if ($userid == "" ) {
exit ("exit");
}

But I don't think that this is the right way?

Can you explain why it doesn’t work with the if query and what would be the correct way to check it?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
user2933212
  • 303
  • 2
  • 4
  • 11
  • @CBroe To an extent it might be a dupe of that other thread on some level. But the larger scope of this seems to be the basic concept of user input validation & how to code against the unknown data that can present itself when dealing with user generated data. – Giacomo1968 May 30 '14 at 03:49

4 Answers4

4

Here is the PHP page on comparison operators.

You're using a loose comparison by using a double-equals sign. Change it to a triple equals sign and it will check by both type and value.

Also see this page on booleans & casting.

The reason '' == 0 evaluates to TRUE, is that the integer 0, when cast as a boolean, converts to FALSE. The empty string ('') also converts to FALSE. Therefore, your comparison ends up looking like if (false == false), which is true.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
Travesty3
  • 14,351
  • 6
  • 61
  • 98
  • So $a === $b would be correct? I tryed it already, but it doesnt make a difference. I get the same result as for ==. When i understand it right, then 12 == 21 would be true and with 12 === 21 it would be false, is that correct? – user2933212 May 30 '14 at 03:11
  • `$a === $b` is a valid way to write a conditional. `12 == 21` would be true, and `12 === 21` would also be true. But `12 === '21'` would be false, because the `'21'` is a string and `12` is an integer. With strict comparison (`===`), the two variables must be equivalent AND they must be of the same type. – Travesty3 May 30 '14 at 03:14
  • Thanks a lot - with if `($request_userid === "$userid")` its working - just to be absolute sure - this is the correct way for checking? Sorry for asking again, i am pretty new with php. – user2933212 May 30 '14 at 03:16
  • There's no end-all "correct" way for checking. It depends on your use case. But usually, it's safer to check using strict comparison, to make sure you know what you're getting. But in some cases, you may want loose comparison. So it all depends. – Travesty3 May 30 '14 at 03:21
1

You could use

if ($request_userid === $userid && $userid != "" )
1

why it doesnt work with the if query?

Cause you are comparing types using the == comparison operator, then the type of "" and let's say $userid = "SpongeBob" will match.

what would be the correct way to check it?

Now if you use the === comparison operator you will compare equality, the you will be comparing if they are identical, and $userid = "SpongeBob" won't match with ""

Roberto
  • 35
  • 6
  • `"SpongeBob" == ""` should return false (even with loose comparison). Those are both strings, so no type-casting is needed. – Travesty3 May 30 '14 at 03:22
1

Just change the logic to this:

if ((!empty($request_userid) && !empty($userid)) && ($request_userid === $userid)) {
...
}

The issue is 0 and null will always equal each other when you do == which compares between two different datatypes; i.e.: null and 0. But === ensures that both values have the same type. So 0 and null will never match with ===. And the !empty() checks are another level of validation ensuring that the === will never happen unless $request_userid and $userid are 100% not empty.

That said, the conditional you are using to solve this issue currently will work:

if ($userid == "" ) {
   exit ("exit");
}

But I would just recommend changing that to:

if (empty($userid)) {
   exit ("exit");
}

At the end of the day, this is not a kludge or messy but simply a way of dealing with the realities of validating user input.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103