Home > Developer > PHP

= And "implicit conversion" in PHP"

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Introduction to implicit conversions in PHP

Recently, there was a post on Hacker News (https://news.ycombinator.com/item? Id = 9484757), mentioned a method to detect website password encryption.

   
The result is:
  
bool(true)bool(true)bool(true)
  
If you use 240610708 as the password and then use QNKCDZO to log on to a website, the password is saved in MD5 mode. Similarly, if aaroZmOk is used as the password and then aaK1STfY is used for logon, the password is saved as sha1. The third type is plaintext storage.
Analysis
Take the first group as an example:
  
The result of md5 ('200') is: 0e462097431906509019562988742554md5 ('qnkcdzo '): 0e830400451993494058024219903391
  
Because PHP is a weak language, if you use the = sign to compare a number with a string or a string that involves the number content, the string is converted to a value and compared to a value. This rule also applies to switch statements. In the preceding example, the two strings start with 0e scientific notation. the strings are implicitly converted to floating point numbers, which are actually equivalent to 0x10 ^ 0. Therefore, they are equal.
Similar
    
The first returns true, and the second returns false.
Conclusion
"=" Should be used for Hash verification in PHP, instead of "= ". In addition, if the production environment version is high enough (PHP> = 5.6.0), it is best to use the hash_equals () function.
  
Hash_equals () compares two strings. whether they are equal or not, the time consumption of the function is constant and can be used to prevent time series attacks.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More