php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62633 strcasecmp does not warn user if both params are not strings
Submitted: 2012-07-22 21:19 UTC Modified: 2012-07-24 00:29 UTC
From: iam4webwork at hotmail dot com Assigned:
Status: Not a bug Package: Scripting Engine problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: iam4webwork at hotmail dot com
New email:
PHP Version: OS:

 

 [2012-07-22 21:19 UTC] iam4webwork at hotmail dot com 
Description:
------------
When I provide strcasecmp with two parameters where one is TRUE and the other is a 
string, php does not generate a warning to say that the first parameter needs to 
be a string and silently converts TRUE to "1" and executes.



Test script:
---------------
<?php

var_dump(strcasecmp(TRUE, "bob"));

// -49



Expected result:
----------------
I expected a parser error message.

Actual result:
--------------
-49

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-22 21:23 UTC] iam4webwork at hotmail dot com 
I believe that somewhere the underlying C source code is converting the PHP TRUE, 
i.e. 1 to "1"
 [2012-07-23 01:08 UTC] aharvey@php.net
-Status: Open +Status: Not a bug
 [2012-07-23 01:08 UTC] aharvey@php.net 
PHP is a weakly typed language by design: if a scalar can be coerced into the type that a function expects, it will be.

Expected behaviour → not a bug.
 [2012-07-23 17:19 UTC] iam4webwork at hotmail dot com 
If the PHP version of strcasecmp were to behave like the PHP version of strcmp 
in terms of handling a Boolean as input wouldn't that be more intelligent than 
allowing the C version of STRCASECMP to accept a parameter that is not 
terminated with a null string (see https://buildsecurityin.us-cert.gov/bsi-
rules/home/g1/847-BSI.html re security issues: DOS)?

Also, whereas weakly-typed is a design feature, it should not become a mantra in 
its own right.  If a built-in function is expecting parameters of a certain type 
and an event occurs where the wrong parameters are provided shouldn't the user 
be alerted? Or, is the onus that of the programmer?
 [2012-07-24 00:29 UTC] aharvey@php.net 
I think you've got it in one, really: the onus is on the developer. Weak typing doesn't have to be a mantra, but you have to pick a default behaviour in a language, and PHP defaults (generally) to its scalar being weakly typed and the onus being back on the developer to check inputs where it matters, rather than the strong typing onus on the developer of converting inputs.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 23:01:34 2024 UTC