I ran into the snippet online
https://www.quora.com/Why-is-PHP-hated-by-so-many-developers
when I was doing some research about PHP, and I simply have no idea how the codes work.
Can anyone kindly explain what happens in the snippet and how one can log in without knowing the password?? or just give me some relevant articles to read. Thanks in advance.
See the manual:
Returns ... 0 if they [strings] are equal.
So, by the snippet logic, you should compare 0 to 0 in the end. But when you send password[]=wrong, you actually send an array, forcing strcmp to throw a warning, completely bypassing the function call and perceive the condition as true
You should always use strict comparison, just in case. So in the snippet above it would be enough to compare strictly by type and value (with ===):
if(strcmp($POST['password'], "sekret") === 0)
In this case password[]=wrong would not work anymore.
Related
Under certain circumstances, the built-in function in PHP called mysqli_query returns null. Such behaviour is not foreseen by the function's documentation that explains how to use it, so I tried to dive in PHP's source code itself, posted on GitHub, to see if I can figure out why sometimes mysqli_query returns null.
The queries themselves doesn't seem to be the problem: I tested the relevant SQL queries in two different ways:
Executing them manually in the MySQL Server. They work correctly.
Within a script that I created with the single purpose of testing the queries through mysqli_query(). They work under this test, and the function returns true.
However, under certain conditions, those same queries return null. The mysqli link object exists when mysqli_query function starts running, when this "returning null failure" happens.
So, looking in the PHP's GitHub repository, i found the file called mysqli_nonapi.c and, in line 556 within this file, what seems to be the built-in mysqli_query definition. Looking at the code within, it looks like it performs a basic check and, if it fails, it returns null. Here are the first lines linked above:
/* {{{ proto mixed mysqli_query(object link, string query [,int resultmode]) */
PHP_FUNCTION(mysqli_query){
MY_MYSQL *mysql;
zval *mysql_link;
MYSQLI_RESOURCE *mysqli_resource;
MYSQL_RES *result = NULL;
char *query = NULL;
size_t query_len;
zend_long resultmode = MYSQLI_STORE_RESULT;
if (zend_parse_method_parameters(ZEND_NUM_ARGS(), getThis(), "Os|l", &mysql_link, mysqli_link_class_entry, &query, &query_len, &resultmode) == FAILURE) {
return;
}
// [...]
}
Even though I have used sometimes C code, I just know a little about C. I am aware that it uses pointers and I guess those parameters which name start with * are pointers. Anyways, I am not sure on how to interpretate this piece of code, or figuring out how it's internal flow affects PHP execution.
Long story short: I can assume somehow, the initial check shown above within the function failed for some reason. But, to find out why, I need to understand that piece of code first.
I am afraid I cannot isolate the issue to trigger the error outside production environment, which would be very useful for exhaustive testing. So, what options do I have left? Is there something I can do to debug that internal piece of code, or otherwise, figuring out why it might be failing within?
I made the tests in both PHP5 and PHP7; it fails the same way in both of them.
This is called undefined behaviour in PHP. Most instances of it have been eradicated in PHP 8, but prior to that version when you passed a wrong parameter to a built-in function, that function would usually throw a warning and return null (or false).
There were a lot of circumstances when no warning was produced at all! This behaviour was not documented on each page as this would be a mess and by definition "undefined behaviour" has no defined behaviour.
This means that code like the following would throw no warning and simply return null:
// V - string passed instead of a numerical value
var_dump(mysqli_query($mysqli, 'SELECT 1', 'foo'));
PHP was very forgiving with parameter types and when you passed the wrong type, it tried to convert it into the proper type, but when this was not possible then PHP had no defined behaviour of what should happen. Thankfully, this has been fixed in 99% of cases in PHP 8.0.
I use strcmp() for string comparison. I give the same value to the parameters, but it doesn't return 0, so my comparison fails. The relevant code snippet:
fwrite($fh ,"\n".$mevcutyoutubeid. "\n");
fwrite($fh , $youtubeid. "\n");
if($mevcutyoutubeid=!null){
fwrite($fh ,"null degil");
if(strcmp(trim($mevcutyoutubeid),trim($youtubeid )) == 0){
echo"xxx"
}
In my file these are the written ids:
UCcJWloZ7QDD1v0hdbQkosVw
UCcJWloZ7QDD1v0hdbQkosVw
So, they're exactly the same. What is the problem?
Your problem is in this line:
if($mevcutyoutubeid=!null){
That's not a comparison (!= null); that's an assignment (= !null). An assignment to !null doesn't really make any sense, by the way—it evaluates to true, but there's no good reason to do that. Anyway, that assignment breaks the following logic.
That said, your question is pretty unclear because (1) the code wasn't formatted coherently (I've fixed that) and (2) most of your code is completely irrelevant to the problem. In the future, please use proper formatting, include a Minimal, Complete, and Verifiable Example, and eliminate anything not essential to the question.
I have inherited some code in which the previous coder wrote this:
if (!not_null($page)) {
die('<b>Error!</b><br><b>Unable to determine the page link!<br><br>');
}
Is there any advantage to this, as opposed to just saying:
if (is_null($page))
It seems unnecessarily confusing to me.
not_null must be a local function.
It is not a standard PHP function.
Without knowing what not_null does, it is impossible to say. Since not_null is a user-defined function, it could be doing anything
If, after checking in to things, you find that not_null is doing a simple comparison, you could refactor the code in the name of readability:
if (is_null($page))
die('<p><strong>Error!</strong><br>Unable to determine the page link!</p>')
OR
if ($page === null)
die('<p><strong>Error!</strong>Unable to determine the page link!</p>')
P.S. - don't use <b> -- use <strong> instead. Also, when you need multiple line breaks, use a <p> instead of multiple <br>. Your sample code has an unclosed <b> tag on the error message.
Documentation
http://php.net/manual/en/function.is-null.php
There is no not_null function in PHP I believe.
What should you use?
Use === null or !== null instead of making a call to function explicitly.
It actually seems worse to do so because one can simply write in the if statement:
if($page==null) which evaluates quicker than using this function. You can also try if(!$page) which will evaluate quickly as well.
I'm using filter_var to validate boolean values but I did not expect it to not recognize FALSE. Why does this happen?
filter_var(FALSE, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)
returns
null
filter_var is new as of PHP 5.2. You've run into a known bug: https://bugs.php.net/bug.php?id=49510
Feel free to vote on or comment on that bug.
You're trying to do something like this:
$v = filter_var($v, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)
There are a number of cheap workarounds like this:
$v = $v===FALSE ? FALSE : filter_var($v, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE)
It sounds like this is actually how it's supposed to work, strangely enough (yes, my mind was blown by that). From https://bugs.php.net/bug.php?id=51344
This is going to sound insane when you've looked at the underlying
filter code, but this is actually correct according to the
documentation: the default behaviour of filter_input() is to return
NULL for non-existent inputs and false when validation fails, and
FILTER_NULL_ON_FAILURE simply flips that behaviour to false for
non-existent inputs and NULL on validation failure. (No, I don't have
a clue where that would be useful either, and the name of the flag is
unfortunate in the filter_input() context, since it implies that NULL
wouldn't normally be returned. It makes more sense when used with
filter_var(), which doesn't have the non-existent input case.)
[table omitted due to SO formatting]
I'll pop a comment into the filter_input() and filter_input_array()
implementations to note that this is by design, even though the code
does kind of look wrong.
Closing Won't Fix.
This was the behaviour when filter_var was first introduced with version 5.2 and resolved at some point after 5.4 as is seen by this https://3v4l.org/Cv1MZ
Starting from version 5.4 this is what happens:
var_dump(filter_var(FALSE, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE));
bool(false)
which makes much more sense.
According to the documentation
Returns true for "1", "true", "on" and "yes". Returns false otherwise.
Anything different than the values mentioned above is considered falsy. This is not to test if a variable is actually a boolean like with typeof or is_bool(), but more like a mean to test if the input comming from the user (usually an <input type="checkbox"> form) is truthy/falsy.
The behavior of this function could be understand as let it go through if it's correct rather than a mean to test the type of a variable (we have lots of other functions for this). Exemple :
filter_var('435345', FILTER_VALIDATE_INT)
The type is a string, but the result is not true/false as the intention is not to validate the type. So an int would be returned (let go through).
In this code fragment:
$results = $this->getAdapter()->fetchAll($query);
if(count($results)) {
// …
}
…do you consider the if(count()) part to be be a well understood idiom, or confusing code. i.e. should it be
if(count($results) > 0)
???
Using a boolean expression with 'if' requires less understanding of a language than using implicit conversions, so I would always prefer the second option (adding "> 0") - at least if this code is meant to be read by others, too. You never know who will maintain your code. The keyword is "clarity" here.
But I must admit I have written many times code with if's using an int expression myself, too, because I like its elegance.
They are doing exactly the same job in this context, and are both easily readable.
I'll just add (just in case) that if you're performing this query only to if(count()), then you should be issuing a SELECT COUNT(*) instead!
The count and the extraneous > comparison are pointless. If you receive an actualy array, then the test should just be:
if ($results) {
That's what scripting languages are for. Abstracting low level details away.
You would only need the count if your fetchAll function returns an ArrayObject or similar. Should your function sometimes return a false for example, then your if (count( is going to fail (because count(false)==1 in PHP).
erm...not realy sure what the purpose of this question is - but the semantics should be self-evident to anyone whom understands PHP
My opinion is that the > 0 check is redundant and unnecessary.
I know other developers who insist that it should be there for clarity, but frankly I can't why -- anyone who can read PHP should be able to discern that they are identical.