PHP - Documentation

Always check the data type before comparing values.

assert(0 == '0ABC'); // returns TRUE assert(0 == 'ABC'); // returns TRUE (even without starting integer!) assert(0 === '0ABC'); // returns NULL/issues Warning as a strict comparison

function checkIntegerRangeTheWrongWay($int, $min, $max) { return ($int >= $min && $int <= $max); } assert(checkIntegerRangeTheWrongWay("6' OR 1=1", 5, 10)); // returns TRUE incorrectly assert(checkIntegerRangeTheWrongWay("6' OR 1=1", 5, 10)); // returns TRUE incorrectly [Full Type Comparison List](https://www.php.net/manual/en/types.comparisons.php) [Full Type Comparison List](https://www.php.net/manual/en/types.comparisons.php) #### Hash Comparison [rConfig 3.9.6 - Magic Hash Auth Bypass to RCE](https://posts.slayerlabs.com/rconfig-vulns/) ### PHPCS Auditor **Example:** ```bash >>> composer require pheromone/phpcs-security-audit Using version ^2.0 for pheromone/phpcs-security-audit ./composer.json has been created Loading composer repositories with package information Updating dependencies (including require-dev) Package operations: 2 installs, 0 updates, 0 removals - Installing squizlabs/php_codesniffer (3.5.3): Downloading (100%) - Installing pheromone/phpcs-security-audit (2.0.1): Downloading (100%) Writing lock file Generating autoload files bridings@lupin:/tmp >>> sh vendor/pheromone/phpcs-security-audit/symlink.sh Symlink created. bridings@lupin:/tmp >>> ./vendor/bin/phpcs --extensions=php,inc,lib,module,info --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml ./vendor/pheromone/phpcs-security-audit/