|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-12-20 18:29 UTC] pegasus at vaultwiki dot org
Description: ------------ I recently noticed a behavior change in an application running on my web site where configuration values in the application that were disabled were being treated like they were still enabled. The application stores disabled values as '0' strings and relies on PHP's implicit conversion (bool)'0' to false. I have reduced the test cases and it seems to be related to whether there is a truthy value to the left of the '0' in an AND expression, and the evaluation is being stored in a variable. Depending on the way an application uses such an expression, this can have far-reaching implications for security and the integrity of the application data. Discovered on 7.2.11 (although I noticed the behavior for quite some versions before that), and confirmed still occurring on Git branch 7.2 as of 12/20/18. Test script: --------------- // basic tests var_dump(true AND '0'); // correctly returns false $test = true AND '0'; var_dump($test); // returns true, should be false PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed May 01 07:01:30 2024 UTC |
if ('0') {echo 'never happen';} but if ([0]) {echo 'always happen';} this is called inconsistency, languages like JS/Python does not have