php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66361 Risky behavior of switch statement
Submitted: 2013-12-27 20:37 UTC Modified: 2013-12-27 20:39 UTC
From: mmshfe at gmail dot com Assigned:
Status: Duplicate Package: SPL related
PHP Version: Irrelevant OS: Any OS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mmshfe at gmail dot com
New email:
PHP Version: OS:

 

 [2013-12-27 20:37 UTC] mmshfe at gmail dot com
Description:
------------
As mentioned in docs, switch statement is a loose type comparison tool. But this may be lead to a serious bug in user products. It would be really better to force it to use strong type comparison (or have an option such as an optional 2nd argument let the users to do so). In the real world, we have no other loose type languages that behaves like this. For example, in JavaScript, the result is fine. I mean, although being a loose type language is a good feature for PHP in overall; It should not be led to unexpected results those not shown in any other language (even the other loose type ones).
I really now the process flow. It uses if, elseif, else statements like this:

if($v == 'hello') {
    echo 'Hello';
}
elseif($v == 'goodbye') {
    echo 'Goodbye';
}
else {
    echo 'Error';
}

And 'hello' is converted to integer (with intval('hello') or anything similar) and because it does not contain an integer value at the beginning, it uses the default integer value (zero) and so, the first case becomes true. All I want to say is that this behavior is incorrect because approximately always it's not the behavior that the developer expected.

Test script:
---------------
$v = 0;
switch($v) {
case 'hello':
    echo 'Hello';
    break;
case 'goodbye':
    echo 'Goodbye';
    break;
default:
    echo 'Error';
    break;
}

Expected result:
----------------
Error

Actual result:
--------------
Hello

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-12-27 20:39 UTC] rasmus@php.net
-Status: Open +Status: Duplicate
 [2014-01-01 09:04 UTC] hamidreza dot mz712 at gmail dot com
i think extreme implicit type conversion of php is wrong design. because it can/will cause much more bugs and security holes than it can help in writing programs more fast/easily. a string containing characters that aren't legal in numbers should not be converted to a number implicitly. only implicitly converting strings that r completely numerical to numbers can be useful. other dynamic languages do this so and not more; more can be really dangerous/troublesome.

an example of how easily a security hole can be created in php:

<?php
  
//u should know, we can specify sort column(s) by column number in a query.
  
$sort_columns=Array(2, 3, 5);
//the most safe validation method: white list! seems completely safe! not?
  
$user_input='2';
  
if(!in_array($user_input, $sort_columns)) echo "'$user_input': <span style='color: red'>illegal sort column!</span>";
else echo "'$user_input': <span style='color: green'>input validated.</span>";
  
echo '<div>&nbsp;</div>';
  
$user_input='7';
  
if(!in_array($user_input, $sort_columns)) echo "'$user_input': <span style='color: red'>illegal sort column!</span>";
else echo "'$user_input': <span style='color: green'>input validated.</span>";
  
echo '<div>&nbsp;</div>';
  
$user_input='sql injection';
  
if(!in_array($user_input, $sort_columns)) echo "'$user_input': <span style='color: red'>illegal sort column!</span>";
else echo "'$user_input': <span style='color: green'>input validated.</span>";
  
//so far, everything seems ok/expected!
  
//but see what type juggling can do for us (indeed for hackers!)...
  
echo '<div>&nbsp;</div>';
  
$user_input='2 sql injection';
  
if(!in_array($user_input, $sort_columns)) echo "'$user_input': <span style='color: red'>illegal sort column!</span>";
else echo "'$user_input': <span style='color: green'>input validated.</span>";
  
$query="select * from table order by $user_input ...";
 
//of course, there r many other cases that type juggling can help us in writing more secure and reliable (bug free) programs!!
//and not only that, type juggling helps us write programs much more fast and easily too. but i leave it up to u to show some examples about that matter.
//lol
 
?>
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC