Broad Network


PHP Operator Basics with Security Concerns

Basics of PHP with Security Considerations - Part 8

Foreword: In this part of the series, I talk about some common PHP Operators; I also talk about the identical operator as solution to certain security problems.

By: Chrysanthus Date Published: 30 Aug 2018

Introduction

This is part 8 of my series, Basics of PHP with Security Considerations. In this part of the series, I talk about some common PHP Operators; I also talk about the identical operator as solution to certain security problems.You should have read the previous parts of the series before reaching here, as this is the continuation.

Operand
An Operand is a variable or a literal (value) associated with an operator. Consider,

    $myVar = 30;

$myVar is a left operand and 30 is a right operand. = is the assignment operator, not the equal operator. The equal operator is, == when dealing with numbers and strings; and is used only in conditions.

Consider:

     $myVar && $hisVar && $herVar

There are three operands in the above expression. So, you can talk of the first, second and third operand. && is the AND operator. It is an example of a logical operator - see later.

Arithmetic Operators
An Arithmetic operator takes one or two numbers as operands (either literals or variables) and returns the answer, similar to what happens in arithmetic.

The standard arithmetic operators are addition (+), subtraction (-), multiplication (*), and division (/). To save time explaining these four operators, just read and try the following examples:

Addition Operator
Code example:

<?php

    $var1 = 20;
    $var2 = 30;
    
    $var3 = $var2 + $var1;

    echo $var3;

?>

Subtraction Operator
Code example:

<?php

    $var1 = 20;
    $var2 = 30;
    
    $var3 = $var2 - $var1;
    echo $var3;

?>

Multiplication Operator
Code example:

<?php

    $var1 = 20;
    $var2 = 30;
    
    $var3 = $var2 * $var1;

    echo $var3;

?>

Note that the multiplication operator is * and not X.

Division Operator
Code example:

<?php

    $var1 = 20;
    $var2 = 30;

    $var3 = $var2 / $var1;

    echo $var3;

?>

Note that the division operator is, / .

Other operators are the Modulus (%), Increment (++), Decrement (--), and the Negation operators. You have to learn the particular way in which each of these operators behaves (see below).

Modulus Operator
The modulus operator divides the first operand by the second operand and returns the remainder. Read and try the following code:

<?php

    $var1 = 17;
    $var2 = 12;
    
    $var3 = $var1 % $var2;

    echo $var3;

?>

The Modulus operator is the percentage sign.

Increment Operator
The Increment Operator is, ++. It works with one operand, not two as the others. The operand has to be a number. When it is placed in front (prefix) of the operand, it behaves in one way. When it is placed after (postfix) the operand it behaves in another way.

Prefix: When it is prefix, it adds 1 to the operand and returns the incremented operand. Try the following code:

<?php

    $var1 = 10.5;
    
    $var2 = ++$var1;

    echo $var2;

?>

In the code, initially, 10.5 is assigned to $var1. Then we have a statement. In the statement you have a new variable, $var2, the assignment operator and then “++$var1”. What interest us here is “++$var1”, where the increment operator is in front of the variable. The value the increment operator returns is assigned to $var2. If you have tried the code, you would have noticed that the value of $var2 is 11.5. This means, if used prefix, it increments the operand and then returns the incremented operand. Note: in the above code, the final value for $var1 is 11.5 and not 10.5.

Postfix: When it is postfix, it returns the operand before adding 1 to it. The returned value is the original value of the operand. The increased value is the new value of the operand, which is not returned. Read and try the following code.

<?php

    $var1 = 10.5;
    
    $var2 = $var1++;

    echo $var2; echo "<br>";
    echo $var1;

?>

If you have tried the above code, you would have noticed that the value for $var2 is 10.5 and the final value for $var1 is 11.5, confirming that the incrementing took place after the value was returned. The “echo '<br>'” sends a line break to the console so that the next result should be displayed one line below the previous one. In PHP, you can have more than one statement in one line, such as in, “echo $var2; echo '<br>';”.

Decrement Operator
The Decrement operator, -- , behaves like the increment operator with the difference that it subtracts 1 instead of adding.

Negation Operator
This operator is the negative sign, - . It works with one operand (on its right); it negates the operand just like in math. Try the following:

<?php

    $var1 = 25;
    
    $var2 = -$var1;

    echo $var2;

?>

The NULL Value in a Condition
When a variable is declared without a value assigned to it, PHP assigns the constant value, null to the variable, without you knowing. When dealing with numbers, null is equal to zero but not identical to zero. When dealing with strings, null is equal to the empty string, "" or '', but not identical to the empty string. The identical operator is === . Try the following code:

<?php

    $var;

if ($var == 0)
    {
        echo 'null equals zero', "<br>";
    }
if (!($var === 0))
    {
        echo 'null is not identical to 0 but is equal to 0', "<br>";
    }

echo '<br>';

if ($var == '')
    {
        echo 'null equals ""', "<br>";
    }
if (!($var === ''))
    {
        echo 'null is not identical to "" but is equal to ""', "<br>";
    }

?>

The output is:

null equals zero
null is not identical to 0 but is equal to 0

null equals ""
null is not identical to "" but is equal to ""

Comparison Operators
A comparison operator compares the operands on its sides and returns a logical value (true or false) depending on whether the comparison is correct or wrong. If the comparison is correct a logical value of true is returned. If it is wrong, a logical value of false is returned. Another name for Boolean Value is Logical Value, which is either true or false.

In PHP when dealing with a value, you should consider the type of the value as well, otherwise you will get into security problems. The types of values you have learned so far are: Integer (e.g. 3), Float (e.g. 3.5), Boolean (true or false), string (e.g. 'text') and Null (has only one value, null).

The Equal Operator for Numbers
It is ==, typed as a double assignment operator. The equal operator returns true if operands (numbers) are equal, otherwise it returns false. This operator should be used when the type does not matter, otherwise use the Identical operator, === .

The Not Equal Operator for Numbers
The Not Equal operator is the opposite of the Equal Operator. The Not Equal operator is, != . It returns true if the operands are not equal, otherwise it returns false. This operator should be used when the type does not matter, otherwise use the Not Identical operator, !== .

Let us look at some examples:

Try the following code:

<?php

    $myVar = 25;
    $hisVar = 30;

    if ($myVar != $hisVar)
        {
            echo 'The values of the two variables are not equal.';
        }

?>

$myVar is 25, $hisVar is 30. The condition is read like this: If $myVar is not equal to $hisVar, even if one (variable) is of type integer and the other is of type float, then the if-block will be executed. Since the values of the variables are not equal (in value independent of type),  then ($myVar != $hisVar) returns true.

In the following code, the values of the two variables are equal, so the condition returns false and the if-block is not executed.

<?php

    $myVar = 50;
    $hisVar = 50;

    if ($myVar != $hisVar)
        {
            echo 'The values of the two variables are not equal.';
        }

?>

Note: The letter O and the digit zero are not the same things. If you type the letter O in place of zero (0) you will not have the right results. The digit zero is found in the number keypad of your keyboard. The letter O is found in the main keyboard area.

The Equal Operator for Strings
The equal operator for strings is still == . The equal operator returns true if operands (strings) are equal in characters, position of characters and respecting the corresponsing casings (upper and lower case), but independent of the type, otherwise it returns false. Try the following code:

<?php

    if ('I love you.' == 'i love you')
        {
            echo 'The values are equal even though I is not i.';
        }
    else
        {
            echo 'The values are NOT equal because I and i have different casings.';
        }

?>

The Not Equal Operator for Strings
The Not Equal operator is the opposite of the Equal Operator, and it is still independent of type. The operator is != . It returns true if the operands are not equal, otherwise it returns false. Read and try the following code:

<?php

    if ('AB34E' != 'AB34E')
        {
            echo 'The values are not equal independent of type.';
        }
    else
        {
            echo 'The values are equal and type should not matter.';
        }

?>

The Greater Than Operator for Numbers
The Greater Than operator is, > . It returns true if the left operand is greater than the right operand. In the following example, the left operand is greater than the right operand. So the if-block is executed:

<?php

    $variab1 = 60;
    $variab2 = 70;
    if ($variab2 > $variab1)
        {
            echo 'The value of $variab2 is greater than the value of $variab1.';
        }

?>

Try the code.

Greater Than Or Equal Operator for Numbers
The Greater Than or Equal operator is, >= (it is the math greater than sign followed by the math equal sign). It returns true if the left operand is greater than or equal to the right operand. Try the following code:

<?php

    $variab1 = 60;
    $variab2 = 60;
    if ($variab2 >= $variab1)
        {
            echo '$variab2 is equal to $variab1, which satisfies the logic.';
        }

?>

The Less Than Operator for Numbers
The Less Than Operator is < .It returns true if the left operand is less than the right operand. Try the following code:

<?php

    $variab1 = 60;
    $variab2 = 70;
    if ($variab1 < $variab2)
        {
            echo 'The value of $variab1 is less than the value of $variab2.';
        }

?>

The Less Than or Equal - Operator
The Less than or Equal operator is, <= . It returns true if the left operand is less than or equal to the right operand. Try the following code:

<?php

    $variab1 = 60;
    $variab2 = 60;
    if ($variab2 <= $variab1)
        {
            echo '$variab2 is equal to $variab1, which satisfies the logic.';
        }

?>

Security Issues

The Identical and Not Identical Operators
With comparison operators, security problems arise when dealing with == and != . == means the two operands are equal ignoring their types. != means the two operands are not equal, still ignoring their types.

If the two operands have to be equal in value and also be of the same type, then you have to use the identical operator which is === (i.e. three assignment operators).

Now, note this: If the two operands are not to be equal in value or not to have the same type or not to be equal in value and not to have the same type, then use the Not Identical Operator, which is !== .

Let us look at some examples:

The value, null is the only value of the type, null. The Boolean type has two values which are true and false. However, null is equal to false but not identical to false. A function might return the value, null, which is a valid value. You may want to test if null has been returned; but if you instead compare (by equality) it to false, you will have the wrong answer. To have the correct answer, you have to use the identical operator and compare null to null. The following code illustrates:

<?php

    $vari = null;   # returned from a function

    if (false == $vari)
        {
            echo 'This is not strict and so answer is definitely wrong.';
        }

    echo "<br>";  # send following output to next line

    if (null === $vari)
        {
            echo 'Very Correct!';
        }

?>

Try the code.

'0' and '' are each equal to false but not identical to false. '0' is a string with zero as the only character. '' is the empty string. They are both strings, but their contents (type) are not the same as false. For effective verification of '0' or '', you have to use the identical operator (and not the equal operator). Read and try the following code:

<?php

    $vari = '';   # returned from a function

    if (false == $vari)
        {
            echo 'Looks correct but comparison is wrong!';
        }

    echo "<br>";  # send following output to next line

    if ('' === $vari)
        {
            echo 'Very Correct!';
        }

?>

Replace '' with '0' in the above code and you will have the same result.

Read and try the following code which shows that '-1' is equal to true but not identical to true:

<?php

    $vari = '-1';   # returned from a function

    if (true == $vari)
        {
            echo 'Looks correct but comparison is wrong!';
        }

    echo "<br>";  # send following output to next line

    if ('-1' === $vari)
        {
            echo 'Very Correct!';
        }

?>

We have done a lot. Time to take a break. Rendezvous in the next part of the series.

Chrys

Related Links

Basics of PHP with Security Considerations
White Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links

Cousins

BACK NEXT

Comments