PHP is thinking that null is 0 when the character in $position doesn't exist.
$statusentery = $_POST[status];
$position = strpos($statusentery,"<");
if ($position == 0){
echo "Sorry, for security purposes we do not
allow characters such as <";
exit;
}
For example, if $statusentery was equal to "Howdy there", it would return "Sorry, for security purposes we do not allow characters such as <". (unexpected)
If $statusentery was equal to "Howdy there <" it would return blank (expected).
How to make it work so that when I enter "Howdy there", it didn't do the if loop, but when I enter "< howdy there>", it did the if loop?
Because 0 can means "false" in PHP, $postition will be false when it doesn't exist. So you'll need to use the following:
if ($position === 0){
Using the triple equal sign in PHP verifies that the compared values have the same data type. A lot more information can be found here: http://php.net/manual/en/language.operators.comparison.php
From: http://php.net/manual/es/function.strpos.php
WARNING
As strpos may return either FALSE (substring absent) or 0 (substring
at start of string), strict versus loose equivalency operators must be
used very carefully.
To know that a substring is absent, you must use:
=== FALSE
To know that a substring is present (in any position including 0), you
can use either of:
!== FALSE (recommended)
-1 (note: or greater than any negative number)
To know that a substring is at the start of the string, you must use:
=== 0
To know that a substring is in any position other than the start, you
can use any of:
0 (recommended) != 0 (note: but not !== 0 which also equates to FALSE) != FALSE (disrecommended as highly confusing)
Also note that you cannot compare a value of "" to the returned value
of strpos. With a loose equivalence operator (== or !=) it will return
results which don't distinguish between the substring's presence
versus position. With a strict equivalence operator (=== or !==) it
will always return false.
So the code must be:
$statusentery = $_POST[status];
$position = strpos($statusentery,"<");
if ($position === 0){
echo "Sorry, for security purposes we do not allow characters such as <";
exit;
}
This is a tricky function. As stated in the strpos manual:
Warning This function may return Boolean false, but may also return a
non-Boolean value which evaluates to false. Please read the section on
Booleans for more information. Use the === operator for testing the
return value of this function.
I use this comparison, which works well without even a notice level warning:
if ($position > -1)
Returns boolean false when the string is not found, which is evaluable as a number, thus comparing whether the value is greater than -1 actually works well. In case any match is found, even at position 0 the above comparison will be passed.
Related
if(strpos("http://www.example.com","http://www.")==0){ // do work}
I'd expect this to resolve as true, which it does. But what happens when I do
if(strpos("abcdefghijklmnop","http://www.")==0){// do work}
This also passes on php 5 because as far as I can work out the strpos returns false which translates as 0.
Is this correct thinking/behaviour? If so what is the workaround for testing for that a substring is at the beginning of another string?
Yes, this is correct / expected behavior :
strpos can return 0 when there is a match at the beginning of the string
and it will return false when there is no match
The thing is you should not use == to compare 0 and false ; you should use ===, like this :
if(strpos("abcdefghijklmnop","http://www.") === 0) {
}
Or :
if(strpos("abcdefghijklmnop","http://www.") === false) {
}
For more informations, see Comparison Operators :
$a == $b will be TRUE if $a is equal to $b.
$a === $b will be TRUE if $a is equal to $b, and they are of the same type.
And, quoting the manual page of strpos :
This function may return Boolean
FALSE, but may also return a
non-Boolean value which evaluates to
FALSE, such as 0 or "". Please
read the section on Booleans for
more information. Use the ===
operator for testing the return
value of this function.
=== and !== compare type and value as shown below:
if (strpos("abcdefghijklmnop", "http://www.") !== false) {
// do work
}
strpos returns an int or boolean false. the == operator also evaluates 0 to mean false, you want to use the === operator (three equals signs) that also checks that the types being compared are the same instead of just seeing if they can be evaluated to mean the same.
so
if (strpos($hastack, $needle) === 0)
{
// the $needle is found at position 0 in the $haystack
}
0 is a possible return value from strpos when it finds a match at the very beginning. In case if the match is not found it returns false(boolean). So you need to check the return value of strpos using the === operator which check the value and the type rather than using == which just checks value.
I personally tend to use this way :
if(!strpos($v,'ttp:'))$v='http://'.$v;
or
if(strpos(' '.$v,'http'))
to avoid the "0" position then always make it a number more than 0
cheers
I'm using the following code:
if(isset($_GET['TDEnderEmail']) || htmlspecialchars($_GET['TDEnderEmail'])){
$VEENFSL = strval($_GET['TDEnderEmail']);
if(strpos($VEENFSL, "#enderadel.cf") > 0 && strlen($VEENFSL) > 5 && strlen($VEENFSL) < 22){
return true;
}
}
and although that $VEENFSL's if (strpos($VEENFSL, "#enderadel.cf") > 0 && strlen($VEENFSL) > 5 && strlen($VEENFSL) < 22) statements values are turn for the example -user#enderadel.cf- if() never return a true
Be warned that strpos doesn't work like you probably think it does: as the documentation states, strpos
Returns the position of where the needle exists relative to the
beginning of the haystack string (independent of offset). Also note
that string positions start at 0, and not 1.
Returns FALSE if the needle was not found.
Warning This function may return Boolean FALSE, but may also return a
non-Boolean value which evaluates to FALSE. Please read the section on
Booleans for more information. Use the === operator for testing the
return value of this function.
This means that your example string probably matches at position 0, therefore
strpos($VEENFSL, "#enderadel.cf") > 0
is false.
Therefore, you should replace that with
strpos($VEENFSL, "#enderadel.cf") !== false
I have this issue with a string:
$val = 'NOT NULL';
if(stripos($val, 'NULL') !== FALSE){
echo "IS $val";
}
It evaluates fine, but if I use === TRUE as evaluator, things go wrong.
The answer eludes me, please help me understand.
If you read the documentation for stripos() you'll find.
Returns the position of where the needle exists relative to the beginnning of the haystack string (independent of offset). Also note that string positions start at 0, and not 1.
Returns FALSE if the needle was not found.
It does not return TRUE. Since you are using strict equality, your condition will never be true.
If you did stripos($val, 'NULL') == TRUE then your code would execute if NULL were found at position 0 - since PHP will do some type-juggling and effectively 0 == (int)true.
The appropriate way to test for existence using stripos() is what you have:
if (stripos($val, 'NULL') !== FALSE){
echo "IS $val";
}
The answer is because you are using the strict equality operator. The function itself returns an int (or boolean if the needle is not found). The return value is not equal (in the strict sense, both value and type) to true, which is why the check fails.
Since === and !== are strict comparison operators - !== false is not the same as ===true since, for example, 1!==false is ok (values and types are not equal), but 1===true is not ok (values are equal, but types are not).
This sample indicates the meaning of strict comparison - i.e. not only values matters, but also types of compared data.
I have the following piece of code:
$item['price'] = 0;
/* Code to get item information goes in here */
if($item['price'] == 'e') {
$item['price'] = -1;
}
It is intended to initialize the item price to 0 and then get information about it. If the price is informed as 'e' it means an exchange instead of a sell, which is stored in a database as a negative number.
There is also the possibility to leave the price as 0, either because the item is a bonus or because the price will be set in a later moment.
But, whenever the price is not set, which leaves it with the initial value of 0, the if loop indicated above evaluates as true and the price is set to -1. That is, it considers 0 as equal to 'e'.
How can this be explained?
When the price is provided as 0 (after initialization), the behavior is erratic: sometimes the if evaluates as true, sometimes it evaluates as false.*
You are doing == which sorts out the types for you.
0 is an int, so in this case it is going to cast 'e' to an int. Which is not parsable as one and will become 0. A string '0e' would become 0 and would match!
Use ===
From PHP.net:
Comparisons between strings and numbers using == and other non-strict
comparison operators currently work by casting the string to a number,
and subsequently performing a comparison on integers or floats. This
results in many surprising comparison results, the most notable of
which is that 0 == "foobar" returns true.
However this behavior was changed in PHP 8.0:
When comparing to a numeric string, PHP 8 uses a number comparison.
Otherwise, it converts the number to a string and uses a string
comparison.
PHP 7
0 == 'foobar' // true
0 == '' // true
4 == '4e' // true (4e is cast as a number and becomes 4)
PHP 8 converts numbers to strings before making comparisons
0 == 'foobar' // false
0 == '' // false
4 == '4e' // false ('4e' is considered non-numeric therefore 4 is cast as a string and becomes '4')
This is a major change therefore it was implemented in a new major PHP version. This change breaks backward compatibility in scripts that depend on the old behavior.
This is due to how PHP does the comparison operation that the == comparison operator denotes:
If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically. […] The type conversion does not take place when the comparison is === or !== as this involves comparing the type as well as the value.
As the first operand is a number (0) and the second is a string ('e'), the string is also converted to a number (see also table Comparison with Various Types). The manual page on the string data type defined how the string to number conversion is done:
When a string is evaluated in a numeric context, the resulting value and type are determined as follows.
If the string does not contain any of the characters '.', 'e', or 'E' and the numeric value fits into integer type limits (as defined by PHP_INT_MAX), the string will be evaluated as an integer. In all other cases it will be evaluated as a float.
In this case the string is 'e' and thus it will be evaluated as a float:
The value is given by the initial portion of the string. If the string starts with valid numeric data, this will be the value used. Otherwise, the value will be 0 (zero). Valid numeric data is an optional sign, followed by one or more digits (optionally containing a decimal point), followed by an optional exponent. The exponent is an 'e' or 'E' followed by one or more digits.
As 'e' does not start with a valid numeric data, it evaluates to float 0.
"ABC" == 0
evaluates true because first "ABC" is converted to integer and becomes 0 then it is compared to 0.
This is an odd behaviour of the PHP language: normally one would expect 0 to be promoted to string "0" and then compared to "ABC" with a result false.
Perhaps that's what happen in other languages like JavaScript where the weak comparison "ABC" == 0 evaluates false.
Doing a strict comparison solves the problem:
"ABC" === 0
evaluates false.
But what if I do need to compare numbers as strings with numbers?
"123" === 123
evaluates false because the left and right term are of different type.
What is actually needed is a weak comparison without the pitfalls of PHP type juggling.
The solution is to explicit promote the terms to string and then do a comparison (strict or weak doesn't matter anymore).
(string)"123" === (string)123
is
true
while
(string)"123" === (string)0
is
false
Applied to the original code:
$item['price'] = 0;
/*code to get item information goes in here*/
if((string)$item['price'] == 'e') {
$item['price'] = -1;
}
The == operator will try to match values even if they are of different types. For instance:
'0' == 0 will be true
If you need type comparison as well, use the === operator:
'0' === 0 will be false
Your problem is the double equal operator, which will typecast the right member to the type of the left. Use strict if you prefer.
if($item['price'] == 'e') {
$item['price'] = -1;
}
Let's go back to your code (copied above). In this case, in most cases, $item['price'] is an integer (except when it is equal to e, obviously). As such, by laws of PHP, PHP will typecast "e" to integer, which yields int(0). (Don't believe me? <?php $i="e"; echo (int)$i; ?>).
To easily get away from this, use the triple equal (exact comparison) operator, which will check the type and will not implicitly typecast.
P.S: a PHP fun fact: a == b does not imply that b == a. Take your example and reverse it: if ("e" == $item['price']) will never actually be fulfilled provided that $item['price'] is always an integer.
There's a rather handy method in PHP for validating a mix of "0", "false", "off" as == false and "1", "on", "true" as == true which is often overlooked. It's particularly useful for parsing GET/POST arguments:
filter_var( $item['price'], FILTER_VALIDATE_BOOLEAN );
It's not wholy relevant to this use-case but given the similarity and fact this is the result search tends to find when asking the question of validating (string)"0" as false I thought it would help others.
http://www.php.net/manual/en/filter.filters.validate.php
You should use === instead of ==, because the ordinary operator does not compare the types. Instead it will attempt to typecast the items.
Meanwhile the === takes in consideration type of items.
=== means "equals",
== means "eeeeh .. kinda looks like"
Basically, always use the === operator, to guarantee type safety.
I think it is best to show by examples I did, while running into the same weird behavior. See my test case and hopefully it will help you understand the behavior better:
// Normal comparison using the == Operator
echo (0 == "0"); // true
echo (0 == "a"); // true
echo (0 == "safta!"); // true
echo (1000 == "bla"); // false. It appears that PHP has a weird behavior only with the number / string 0 / "0" according to the past 3 examples.
echo (23 == "23"); // true. So as we said, PHP has a problem (not a problem but weird behavior) only when the number / string 0 (or "0") is present
echo (23 == "24"); // false. values aren't equal (unlike last example). The type is less relevant with the == operator as we can see.
// Now using the === and !== Operators
echo ("0" === 0); // false, since === requires both value and type to be the same. Here, type is different (int vs string)
echo ("0" !== 0); // true because they aren't the same in terms of === comparison (type is different and that's why it's true)
echo ("bla" === "blaa"); // false because the values are not the same. The type is the same, but === checks for both equal type and equal value.
//Now using casting and === Operator:
echo ((string)123 === "123"); // true. The casting of the int 123 to string changed it to "123" and now both variables have same value and are of same type
echo ((int)"123" === 123); // true. The casting of the string 123 to int, changed it to int, and now both variables are of same value and type (which is exactly what the === operator is looking for)
// Now using casting and == Operator. Basically, as we've seen above, the == care less for the
// type of var, but more to the value. So the casting is less relevant here, because even
// without casting, like we saw earlier, we can still compare string to int with the == operator
// and if their value is same, we'll get true. Either way, we will show that:
echo ((string)123 == "123"); // true. The casting of the int 123 to string changed it to "123" and now both vars have same value and are of same type
echo ((int)"123" == 123); // true. The casting of the string 123 to int, changed it to int, and now both vars are of same value and type (which is exactly what the === operator is looking for)
if (strrpos($_POST['security_data'], $OrderReference) === false ||
md5($_POST['security_data'] . $sekey) != $_POST['security_hash'])
{
return;
}
I don't understand why is strrpos in there and === "3 equals"
and what is the dot "." doing in $_POST['security_data'] . $sekey
Thank You
strrpos returns the position of the substring.
echo strrpos("Hello", "e"); // outputs `1`
. is concatenation.
echo "Hello "."There"; // outputs: 'Hello There'
=== checks type as well as equality.
var_dump(1 == true); // true
var_dump(1 === true); // false
Here's a translation to C#:
string hash = MD5.Create().ComputeHash(Request.Form["security_data"] + sekey);
if (!Request.Form["security_data"].Contains(OrderReference)
|| hash != Request.Form["security_hash"])
{
return;
}
strrpos returns false if the string isn't found (don't know which string in which, but the docs will tell you)
=== compares type as well instead of just value. This is done so php doesn't to any casting, for example 0 == false (0 represents false in php as well) but 0 !== false as 0 isn't the same type as false.
the . is the concat operator in php.
strrpos is "return position of substring within a string, starting from the right (end) side". === is the PHP strict comparison, which compares type AND value. The strpos functions CAN return a legitimate 0 as a position, which is the very start of the string. But 0 evalutes to boolean FALSE in PHP, so the === check ensures that you're looing at a real false (strrpos found nothing) and not just "strrpos found string at position zero".
The dot (.) connects between 2 strings, and the 3 equals checks if the returned value is in the same type as what it compared to
If the contents of the variable $OrderReference are not found in the POST variable security_data, or the MD5 hash of the POST variable security_data, concatenated with (that's the . operator in PHP) the variable $sekey isn't equal to security_hash, return from the function.
=== is used to ensure that the return from strrpos() is the boolean FALSE rather than the possible valid return value of 0. === is for strict type comparison.