PHP Loose and Strict Comparisons for Security
PHP Control Structures with Security Considerations - Part 5
Foreword: In this part of the series, I talk about PHP Loose and Strict Comparisons. I also say how they affect security.
By: Chrysanthus Date Published: 17 Oct 2018
Introduction
Type Related Functions
The gettype() Function
The syntax for the gettype() function is:
string gettype ($var)
It returns the type of the variable. Possible returned strings are:
'boolean'
'integer'
'double' (for historical reasons 'double' is returned in case of a float, and not simply 'float')
'string'
'array'
'object'
'resource'
'NULL'
'unknown type'
Try the following code:
<?php
$var = 25;
$ret = gettype($var);
echo $ret;
?>
The output is:
integer
The empty() Function
First of all, let us know the meaning of empty. The following things are considered empty:
- '' (an empty string)
- 0 (0 as an integer)
- 0.0 (0 as a float)
- '0' (0 as a string)
- NULL
- FALSE
- array() (an empty array)
- var $var; (a variable declared, but without a value in a class)
Any other value is not empty.
The syntax for the empty() function is:
bool empty($var)
The function returns true if the variable is empty, and false otherwise. Try the following code:
<?php
$var = '';
$ret = empty($var);
echo $ret;
?>
In my computer, true is displayed as 1 and false is not displayed. The output is:
1
The is_null() Function
The syntax for this function is:
bool is_null($var)
The function returns true if the variable is NULL and false otherwise. Try the following code:
<?php
$var = NULL;
$ret = is_null($var);
echo $ret;
?>
The output is,
1
The isset() Function
The syntax for the isset() function is:
bool isset($var)
The function returns true if $var exists and has value other than NULL or false otherwise.
Try the following code:
<?php
$var = 'text';
$ret = isset($var);
echo $ret;
?>
The output is:
1
The if($x) Condition
The if-statement will be executed if its condition is equivalent to true and will not be executed if its condition is equivalent to false. The following values are equivalent to false in a condition:
- the boolean FALSE itself
- the integer 0 (zero)
- the float 0.0 (zero)
- the empty string, and the string '0'
- an array with zero elements
- an object with zero member variables (PHP 4 only)
- the special type NULL (including unset variables)
- SimpleXML objects created from empty tags
Any other value including -1 is equivalent to true inside a condition.
Comparisons of $x with above PHP functions
The following table gives the different possible return values for the variable, $x.
| Expression | gettype() | empty() | is_null() | isset() | boolean : if($x) |
|---|---|---|---|---|---|
| $x = ""; | string | TRUE | FALSE | TRUE | FALSE |
| $x = null | NULL | TRUE | TRUE | FALSE | FALSE |
| var $x; | NULL | TRUE | TRUE | FALSE | FALSE |
| $x is undefined | NULL | TRUE | TRUE | FALSE | FALSE |
| $x = array(); | array | TRUE | FALSE | TRUE | FALSE |
| $x = false; | boolean | TRUE | FALSE | TRUE | FALSE |
| $x = true; | boolean | FALSE | FALSE | TRUE | TRUE |
| $x = 1; | integer | FALSE | FALSE | TRUE | TRUE |
| $x = 42; | integer | FALSE | FALSE | TRUE | TRUE |
| $x = 0; | integer | TRUE | FALSE | TRUE | FALSE |
| $x = -1; | integer | FALSE | FALSE | TRUE | TRUE |
| $x = "1"; | string | FALSE | FALSE | TRUE | TRUE |
| $x = "0"; | string | TRUE | FALSE | TRUE | FALSE |
| $x = "-1"; | string | FALSE | FALSE | TRUE | TRUE |
| $x = "php"; | string | FALSE | FALSE | TRUE | TRUE |
| $x = "true"; | string | FALSE | FALSE | TRUE | TRUE |
| $x = "false"; | string | FALSE | FALSE | TRUE | TRUE |
Loose Comparison
Loose comparison is when you use == or != , which compares only values and not value and type. The following table gives the different possible resulting values for the pair of operands.
| TRUE | FALSE | 1 | 0 | -1 | "1" | "0" | "-1" | NULL | array() | "php" | "" | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TRUE | TRUE | FALSE | TRUE | FALSE | TRUE | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE |
| FALSE | FALSE | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | TRUE | TRUE | FALSE | TRUE |
| 1 | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| 0 | FALSE | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | TRUE | FALSE | TRUE | TRUE |
| -1 | TRUE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE |
| "1" | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| "0" | FALSE | TRUE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE |
| "-1" | TRUE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE |
| NULL | FALSE | TRUE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | TRUE | TRUE | FALSE | TRUE |
| array() | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | TRUE | FALSE | FALSE |
| "php" | TRUE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE |
| "" | FALSE | TRUE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | TRUE |
Strict Comparison
Strict comparison is when you use === or !== , which compares values as well as types. The following table gives the different possible resulting values for the pair of operands.
| TRUE | FALSE | 1 | 0 | -1 | "1" | "0" | "-1" | NULL | array() | "php" | "" | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TRUE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| 1 | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| 0 | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| -1 | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| "1" | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE |
| "0" | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | FALSE |
| "-1" | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE |
| NULL | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE |
| array() | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE | FALSE |
| "php" | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE | FALSE |
| "" | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | FALSE | TRUE |
Security Considerations
When you are comparing values as well as types, use strict comparison. Otherwise use loose comparison.
That is it for this part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links