On Mon, May 7, 2012 at 12:28 AM, Arvids Godjuks <arvids.godj...@gmail.com>wrote:
> Hello internals, > > I should voice my opinion that such things like comparing two strings > starting with numbers and that they resolve to actual integer/float for > comparation is bad, really bad. That just defies the logic and yealds > absolutly unexpected results. I pride myself that i know the juggling rules > well, but I'm shocked by this to say the least... > In my opinion this should change no matter the BC breaks it will create, > this one affects security big time. It's good I actually hash my passwords > in the MySQL and not on the PHP side, but I have seen hash comparations > with == all the time. And now that this has been discussed in detail I > expect this to be used as an attack method grow wide. > 07.05.2012 5:32 пользователь "Tjerk Anne Meesters" <datib...@php.net> > написал: Forgive me if I'm missing something, but why are people using == for security-sensitive string comparisons (like hashed passwords) in the first place?! If you needs something that's safe, isn't that what strcmp() and strcasecmp() are for? For my part, I pretty much never use == on string comparison, though admittedly that's probably just a matter of having having come from a C background before PHP. That being said, I agree that this *definitely* should be fixed if the examples cited are indeed accurate (I've been working with PHP for over 10 years and I was never aware of this bizarre behavior, either). I don't know the history of this, but I at least would consider it to be a bug. A rather large one, in fact; though I think some of the fears expressed are a bit hyperbolic. And if you're fixing a serious bug or security vulnerability, as a general rule of thumb, this automatically supercedes any concerns regarding BC breakage IMHO. But if that really is a lingering concern, I'd suggest targetting the fix for PHP 6, since people would (or at least should) expect that some PHP 5 code may behave differently in PHP 6 anyway given that it's a major release --Kris