Edit report at https://bugs.php.net/bug.php?id=62097&edit=1
ID: 62097
Updated by: s...@php.net
Reported by: kazuo at o-ishi dot jp
Summary: New behavior of string == has a compatibility
problem
-Status: Assigned
+Status: Feedback
Type: Bug
Package: Scripting Engine problem
Operating System: Gentoo Linux
PHP Version: 5.4.4RC1
Assigned To: stas
Block user comment: N
Private report: N
New Comment:
What is in $row[0] in your example?
Previous Comments:
------------------------------------------------------------------------
[2012-05-30 06:17:28] s...@php.net
Automatic comment on behalf of cataphract
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=78ff9ebb6bb501dff995727512c38fdeff50021b
Log: Fixed bug #62097
------------------------------------------------------------------------
[2012-05-29 09:04:37] kazuo at o-ishi dot jp
Interface to user inputs or external format may rely on current
(released version of ) PHP behavior, ignore leading zeros or whitespaces.
I'm sorry that I cannot show you simple example.
Instead, this is example to show another incompatibility:
There is pgsql database table created by
CREATE TABLE t (k INT, v NUMERIC(30,1));
This code print "true" on PHP 5.4.3 but "false" on latest.
-------------------------------------------------
<?php
$key = "1";
$num = "12345678901234567890";
$con = pg_connect("...");
pg_query($con, "DELETE FROM t");
pg_query($con, "INSERT INTO t (k, v) VALUES ($key, $num)");
$rs = pg_query($con, "SELECT v FROM t WHERE k = $key");
$row = pg_fetch_row($rs);
if ($row[0] == $num) {
echo "true";
} else {
echo "false";
}
-------------------------------------------------
------------------------------------------------------------------------
[2012-05-29 05:33:35] s...@php.net
I am sorry, but I still do not see the explanation why any code would rely on
comparison such as "09223372036854775808" == "9223372036854775808" to return
true. If you have such reason - please bring it forward. Repeating "HISTORICAL
REASON" does not explain anything. If you have valid use case why it needs to
be
preserved - please provide it ASAP. Otherwise the only thing to conclude will
be
that no application has a valid reason to rely on that and the right thing will
be to change it, as this code should behave this way from the start.
------------------------------------------------------------------------
[2012-05-29 03:25:08] kazuo at o-ishi dot jp
> Old comparison ("09223372036854775808" == "9223372036854775808") is
> a problem since it may lead to md5() hashes accepting wrong
> passwords. This has very high risk of negative consequences for many
> PHP users. Thus we decided to fix it ASAP.
Clearly, it have to be compared using === instead of ==.
We should issue the statement at the PHP site:
"String to string comparison using == has many problem including
security problems. We strongly recommend to use === instead."
And we should add new Security section at
http://www.php.net/manual/en/security.php
In addition, string to string comparison using == should be mentioned as NOT
RECOMMENDED explicitly on
http://www.php.net/manual/en/language.operators.comparison.php
These actions can be done at right now, and it is effective for all
PHP users including users of old versions.
Fortunately, it's rare the return value is constructed only decimal
number since md5() returns 32-character hexdecimal string
[(10/16)^32 -> 0.000029% ?].
And, for the application developers, it is comparatively easy to point
out and correct a part with such a problem.
> This change can not be backward compatible - since the whole point
> was to change how this comparison works.
Security fix which breaks compatibility in wide and unexpectable area
will not work well, because it makes the users difficult to migrate to new
version.
> I have very hard time understanding why your code would rely on comparison
> between two completely distinct strings return "true" - what exactly this
> code
> does and why it relates on == comparison truncating long numbers?
That's HISTORICAL REASON.
There are many of legacy code with == comparison in the world,
they need to work AS IS.
If there is such a incompatibility, the maintainers of that code have
to check whole code using == operator before upgrading to PHP 5.4.4.
------------------------------------------------------------------------
[2012-05-29 01:14:30] s...@php.net
Old comparison ("09223372036854775808" == "9223372036854775808") is a problem
since it may lead to md5() hashes accepting wrong passwords. This has very high
risk of negative consequences for many PHP users. Thus we decided to fix it
ASAP.
This change can not be backward compatible - since the whole point was to
change
how this comparison works.
I have very hard time understanding why your code would rely on comparison
between two completely distinct strings return "true" - what exactly this code
does and why it relates on == comparison truncating long numbers? Maybe if you
explain the need better there would be a reason to postpone this change but for
now I do not see a reason that would override very real security concern from
bug #54547.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=62097
--
Edit this bug report at https://bugs.php.net/bug.php?id=62097&edit=1
