-4

consider this code

<?
if($_GET["inp"]==0 || $_GET["inp"]==1) $inp=$_GET["inp"];
mysql_query("select * from table1 where field1=".$inp);
?>

and php returns this statement $_GET["inp"]==0 always true unless we use $_GET["inp"]=="0"

So if someone use this code, He can be hacked by sql-injection. Does this counts as bug?

scrowler
  • 24,273
  • 9
  • 60
  • 92
Mehdi Azizi
  • 187
  • 2
  • 10
  • 4
    No. It is well-documented behavior, even if perhaps not expected (or desirable). See [Type Juggling](http://php.net/manual/en/language.types.type-juggling.php) and the [Comparison Operators](http://php.net/manual/en/language.operators.comparison.php). – user2864740 Aug 04 '14 at 02:02
  • This question appears to be off-topic because the code is being used incorrectly. – Kermit Aug 04 '14 at 02:04
  • @Kermit That is a good call and is [covered in this popular question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). – user2864740 Aug 04 '14 at 02:04
  • It's the difference between strict and loose comparison. If your possible values are `1` or `0` you should strictly check for those values, otherwise `0` can loosely evaluate to false and `1` can evaluate to true. If the variables are coming from $_GET, they will always be strings - so keep that in mind when strictly comparing. – scrowler Aug 04 '14 at 02:04
  • why "hello"==0 must return true? – Mehdi Azizi Aug 04 '14 at 02:05
  • `"thats not" == "how it works"` – Kermit Aug 04 '14 at 02:06
  • @MehdiAzizi Because, from the Operator link above: "Translate strings and resources to numbers, usual math", when one side is a string and the other is a number. – user2864740 Aug 04 '14 at 02:08
  • It's most definitely not a bug. It's just a problem with PHP being very lose with comparisons if using ==.. One of the many, Manu problems/pitfalls in PHP – Daryl Gill Aug 04 '14 at 03:10
  • How can this be unclear, what the opener is asking? Its very clear: why is `'somestring' == 0` true. – Christian Gollhardt Aug 04 '14 at 04:48

1 Answers1

3

No it is no bug

$_GET["inp"]==0

should be

$_GET["inp"]==="0"

=== means you check the data type. Take a look here: http://php.net/manual/de/language.operators.comparison.php

Also please take a look at pdo (http://php.net/manual/de/book.pdo.php) and prepared statements. (SQL Injection is possible with your code)

Why should "everything"==0 return true? Yes I know about === but even == must not retrun true. – Mehdi Azizi

From the docs here: http://php.net/manual/en/language.operators.comparison.php

If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically. These rules also apply to the switch statement. The type conversion does not take place when the comparison is === or !== as this involves comparing the type as well as the value.

With this info we can convert this:

var_dump(0 == "a"); //true
//a is not a real number, so we use 0
var_dump(0 == 0); //true

What we want:

//Note it is === and not ==
var_dump(0 === "a"); //false

Also interessting

var_dump("true" == 0); //false
var_dump("true" == 1); //false
var_dump("false" == 0); //false
var_dump("1" == 1); //true
var_dump("1" == 0); //false
var_dump("0" == 0); //true

And for prevention

var_dump(empty("")); //true
var_dump(empty(0)); //true
var_dump(empty(null)); //true
var_dump(empty(false)); //true
var_dump(empty(true));  //false

You want to check "real" empty, you use ($var === ''). PHP is a very old language with many design fails.

Christian Gollhardt
  • 16,510
  • 17
  • 74
  • 111