Shulou(Shulou.com)06/03 Report--

This article mainly introduces "what are the PHP weak type security problems". In the daily operation, I believe that many people have doubts about what PHP weak type security problems there are. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "what PHP weak type security problems"! Next, please follow the editor to study!

An introduction to PHP weak types

The editor thinks that php is powerful because php provides many unique features for developers to use, one of which is the php weak typing mechanism.

In PHP, you can do the following.

$param = 1 leading param = array (); $param = "stringg"

Weakly typed languages have no restrictions on the data types of variables. You can assign variables to any other type of variable at any time, and variables can be converted to any other type of data.

Type conversion problem

Type conversion is an inevitable problem. For example, when you need to convert the parameters of GET or POST to the int type, or when the two variables do not match, PHP will automatically convert the variables. But PHP is a weakly typed language, which leads to a lot of unexpected problems in type conversion.

Comparison operator

Type conversion

In the comparison of $a million dollars

$axinulltern breadfly / / true$a='';$b=null; / / true

There are many such examples, and the comparisons are all equal.

There is also a problem with type conversion when using the comparison operator, as follows:

Abcdefg' / / true0 = 'abcdefg' / / true0 = =' abcdefg' / / false1 = = '1abcdef' / / true

There will be a problem of variable conversion when different types of variables are compared, and there may be problems after the conversion.

Hash comparison

In addition to the above approach, there are also problems when comparing hash. As follows:

"0e132456789" = = "0e7124511451155" / / true "0e123456abc" = = "0e1dddada" / / false "0e1abc" = = "0" / / true

In the comparison operation, if a string such as 0e\ d + is encountered, the string will be parsed to scientific counting. So in the above example, the values of both numbers are 0, so they are equal. If the mode of 0e\ d + is not satisfied, it will not be equal. This question has been tested in the md5 collision of the attack and defense platform.

Hexadecimal conversion

There is also a problem when comparing hexadecimal residual strings.

Examples are as follows:

"0x1e240" = = "123456" / / true "0x1e240" = = 123456 / / true "0x1e240" = = "1e240" / / false

When one of the strings begins with 0x, PHP parses the string into decimal and then compares it. 0x1240 parses to decimal is 123456, so it is equal to 123456 of both int and string types. It is really difficult to name in the attack and defense platform is to examine this feature.

Type conversion

The most common conversion is the conversion from int to string,string to int.

Int to string:

$var = 5; mode 1:$item = (string) $var; mode 2:$item = strval ($var)

String turns to the int:intval () function.

For this function, you can first look at two examples.

Var_dump (intval ('2')) / / 2var_dump (intval ('3abcd')) / / 3var_dump (intval (' abcd')) / / 0

When intval () is converted, it will be converted from the beginning of the string until a non-numeric character is encountered. Even if there is an unconvertible string, intval () does not report an error but returns 0.

This feature of intval () is tested in the topic MYSQL in the attack and defense platform.

At the same time, programmers should not use this code when programming:

If (intval ($a) > 1000) {mysql_query ("select * from news where id=". $a)}

At this point, the value of $a may be 1002 union. ..

Looseness of parameters of built-in function

The looseness of the built-in function is that when the function is called, the function is passed a parameter type that is unacceptable to the function. The explanation is a bit of a mouthful, or directly through the actual examples to illustrate the problem, the following will focus on a few of these functions.

Md5 ()

$array1 [] = array ("foo" = > "bar", "bar" = > "foo",); $array2 = array ("foo", "bar", "hello", "world"); var_dump (md5 ($array1) = = var_dump ($array2)); / / true

The md5 () function in the PHP manual is described as string md5 (string $str [, bool $raw_output = false]), and the requirement in md5 () is an argument of type string. But when you pass an array, md5 () will not report an error, and the knowledge will not be able to correctly calculate the MD5 value of the array, which will cause the MD5 values of any two array to be equal. This md5 () feature is also tested in bypass again in the attack and defense platform.

Strcmp ()

The strcmp () function is described in the PHP official manual as int strcmp (string $str1, string $str2), and you need to pass two parameters of type string to strcmp (). If str1 is less than str2, return-1, equality returns 0, otherwise return 1. The essence of the strcmp function to compare strings is to convert two variables into ascii, then subtract, and then determine the return value based on the result of the operation.

What if the argument given strcmp () passed in is a number?

Array= [1Jing 2Jue 3]; var_dump (strcmp ($array,'123')); / / null, in a sense, null is equivalent to false.

The feature of strcmp has been tested in pass check in the attack and defense platform.

Switch ()

If switch is the judgment of case of numeric type, switch converts the parameters to int type. As follows:

$I = "2abc"; switch ($I) {case 0:case 1:case 2: echo "i is less than 3 but not negative"; break;case 3: echo "I is 3";}

At this time, the output of the program is i is less than 3 but not negative, because the switch () function converts $I to 2.

In_array ()

In the PHP manual, the in_array () function is interpreted as bool in_array (mixed $needle, array $haystack [, bool $strict = FALSE]), and if the strict parameter is not provided, in_array uses a loose comparison to determine whether $needle is in $haystack. When the value of strince is true, in_array () compares whether the type of needls is the same as that in haystack.

$array=; var_dump (in_array ('abc', $array)); / / truevar_dump (in_array (' 1bccent, $array)); / / true

You can see that true is returned in the above case, because 'abc'' will be converted to 0memery 1bc' and converted to 1.

Array_search () is the same problem as in_array ().

At this point, the study on "what are the PHP weak types of security problems" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.