WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#11391 closed defect (bug) (invalid)

logic error bug in php 5.3.0 probably needs attention in WP

Reported by: Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: major Version: 2.9
Component: General Keywords:
Focuses: Cc:

Description

$foo = 0;
var_dump('foo' == $foo); // true
var_dump($foo == 'foo'); // true
var_dump('foo' === $foo); // false
var_dump($foo === 'foo'); // false
var_dump(phpversion());

I encountered this obscure bug while looking into why memcached was returning false, when I definitely knew it contained 0. And, sure enough:

http://plugins.trac.wordpress.org/browser/memcached/trunk/object-cache.php?rev=74855#L265

http://plugins.trac.wordpress.org/browser/memcached/trunk/object-cache.php?rev=74855#L203

I haven't tested if it affected php 5.3.1 yet.

Change History (5)

comment:1 @Denis-de-Bernardy5 years ago

It's actually a feature. :-(

http://php.net/manual/en/language.operators.comparison.php

That's a huge change in the way php handles strings/int comparison.

comment:2 @nacin5 years ago

When was the change, in that case?

bool(true)
bool(true)
bool(false)
bool(false)
string(5) "5.2.9"

comment:3 in reply to: ↑ description @nacin5 years ago

  • Resolution set to invalid
  • Status changed from new to closed

With emphasis added, the following is from http://www.php.net/manual/en/language.types.string.php#language.types.string.conversion. This appears to be PHP in general, not a PHP 5.3 change.


String conversion to numbers

When a string is evaluated in a numeric context, the resulting value and type are determined as follows.

If the string does not contain any of the characters '.', 'e', or 'E' and the numeric value fits into integer type limits (as defined by PHP_INT_MAX), the string will be evaluated as an integer. In all other cases it will be evaluated as a float.

The value is given by the initial portion of the string. If the string starts with valid numeric data, this will be the value used. Otherwise, the value will be 0 (zero). Valid numeric data is an optional sign, followed by one or more digits (optionally containing a decimal point), followed by an optional exponent. The exponent is an 'e' or 'E' followed by one or more digits.

comment:4 @nacin5 years ago

  • Milestone 2.9 deleted

comment:5 @Denis-de-Bernardy5 years ago

Yeah, I read the same. It's weird, too. A numerical string is converted to a number before being compared:

var_dump(1 == '2'); // false
var_dump(1 == '1'); // true

At any rate, the issue generates a bug in Ryan's wp_object_cache class, mentioned further up.

I did a quick scan of the WP code and didn't spot any areas where this could potentially be abused (i.e. $user_submitted_int == 'something' leading to code execution that should not be), so I'll leave it there.

Note: See TracTickets for help on using tickets.