Edit report at https://bugs.php.net/bug.php?id=54547&edit=1
ID: 54547
Comment by: jacob at fakku dot net
Reported by: peter dot ritt at gmx dot net
Summary: wrong equality of string numbers
Status: Verified
Type: Bug
Package: Unknown/Other Function
Operating System: linux
PHP Version: 5.3.6
Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
I'm just gonna paste in that PHP Sadness article to show why this is such a big
issue.
According to php language.operators.comparison, the type-coercing comparison
operators will coerce both operands to floats if they both look like numbers,
even if they are both already strings:
If you compare a number with a string or the comparison involves numerical
strings, then each string is converted to a number and the comparison performed
numerically.
This can become especially important in situations where the developer chooses
to use == to compare two values which will always be strings. For example,
consider a simple password checker:
if (md5($password) == $hash) {
print "Allowed!\n";
}
Assume that the $hash is loaded from a known safe string value from a database
and contains a real MD5 hash. Now, suppose the $password is "ximaz", which has
an all-numeric hex-encoded MD5 hash of "61529519452809720693702583126814". When
PHP does the comparison, it will print "Allowed!" for any password which
matches
even the first half of the hash:
$ php -r 'var_dump("61529519452809720693702583126814" ==
"61529519452809720000000000000000");'
bool(true)
The solution, of course, is "never use type-coercing comparison operators" -
but
this remains an easily-overlooked bug factory for beginning and even
intermediate developers. Some languages solve this situation by having two
separate sets of comparison operators for numeric or string comparisons so that
the developer can be explicit in their intent without needing to manually cast
their arguments.
Previous Comments:
------------------------------------------------------------------------
[2012-04-12 15:55:26] yless42 at hotmail dot com
Wouldn't it make the most sense to compare the strings as string (and thus pass
in the original case), then fall back on other comparison methods when they
don't match? I admit I don't have test cases but it seems that this would be
backwards compatible in most cases (as you will eventually compare numerically)
and fix the given issue.
Unless there are cases which rely on the two same strings failing to compare as
equal.
------------------------------------------------------------------------
[2012-04-12 15:20:45] [email protected]
I'd like to add that strcmp() and familly are functions designed to compare
strings, as they are in C ; except that in PHP they are binary compatible, like
PHP strings are
------------------------------------------------------------------------
[2012-04-12 14:17:32] [email protected]
@Jeff Please see jabakobob's comment why doing just a string comparison can be
counterproductive. Remember: PHP is mainly used around the HTTP protocol (where
everything is a string) and MySQL (where also everything is returned as a
string). So in PHP you will often deal with numbers in strings, thus they
should be handled as such.
------------------------------------------------------------------------
[2012-04-12 14:02:02] Jeff at bobmail dot info
That didn't address my comment. Why wouldn't the internal implementation check
to see if the strings are the same? When doing a comparison and the internal
data type is a string, wouldn't that be faster and most correct?
In all honesty I would prefer PHP's "loosely typed" system mimic JavaScript's
in that any type can be put anywhere but the object still keeps its type
information for situations just like this.
------------------------------------------------------------------------
[2012-04-12 13:59:32] [email protected]
@Jeff: You have to understand in PHP 1, 1.0 and "1.0" all are equivalent (in
most situations). That's by design.
E.g. GET and POST variables are always strings, even if you put numbers into
them (as per the HTTP standard). PHP obviously wants those GET/POST variables
to still be useable just like they were numbers, that's why "1" and 1 can be
used interchangeably throughout PHP.
In that context - in my eyes - this comparison also makes sense. Consider a
very similar comparison:
var_dump('0.1' == '0.10000000');
What would you expect to be the output - if you remember that in PHP numeric
strings and actual numbers are interchangeable? Clearly it has to behave
exactly as if you had written:
var_dump(0.1 == 0.10000000); // => bool(true)
In most cases this type of comparison is what you want and it usually works
exactly as expected.
What you see here in this issue is one of the edge cases (how often do you use
large numbers in PHP?) where it does not work well.
I hope you understand that it is not viable to remove a handy feature from PHP,
just because it fails under certain edge case conditions.
If you want to use a strict string comparison, just use ===.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=54547
--
Edit this bug report at https://bugs.php.net/bug.php?id=54547&edit=1
