0

I've read somewhere that === is more secure than == So should I use something like this:

    if ($user === "") {
    echo "you are not logged in";
    }

instead of

    if ($user == "") {
    echo "you are not logged in";
    }

? The question is probably stupid, but I never really used === so I don't know much about it from security standpoint.

I am strictly interested in why === is more secure than == The duplicate doesn't address that.

Menel
  • 177
  • 1
  • 9
  • `==` and `===` are the same, with the exception that the latter forces type to match. See the [documentation](http://php.net/manual/en/language.operators.comparison.php) for more information. – Jonnix May 22 '16 at 18:30
  • @JonStirling Yeah I saw that just an hour ago and there was a guy saying "comparing passwords with == may result in a very large security hole". Though I use password_verify function, I still use == for many other validations... – Menel May 22 '16 at 18:33
  • http://stackoverflow.com/questions/80646/how-do-the-php-equality-double-equals-and-identity-triple-equals-comp – Thamilhan May 22 '16 at 18:35
  • So *you've* misread something else into "three equals are 'more secure'". – mario May 22 '16 at 18:37
  • @Thamilan But no one explains security aspect of == vs ===, except one guy that only mentions it... – Menel May 22 '16 at 18:38
  • @mario I don't understand. – Menel May 22 '16 at 18:39
  • Have you read through the linked answers yet? `===` is not more secure, it forces identity comparisons for strings. In the context of password hash comparisons it is *more correct*. (As would be `strcmp`.) – mario May 22 '16 at 18:51

0 Answers0