PHP Loose comparison
Last updated
Last updated
PHP has this particular functionality called Type juggling, it essentially tries to predict what a programmer wants to do with a variable, it usually checks whats's inside a variable and tries to convert it, for example if a string contains only numbers it will convert it to either an integer or a float, this behaviour can sometimes cause issues, especially when loose comparison is used.
PHP8 won't try to cast string into numbers anymore, https://dustri.org/b/php8-from-a-security-point-of-view.html#:~:text=PHP8%20won't%20try%20to,Snuffleupagus'%20sloppy%20comparison%20prevention%20feature.
In PHP there are 2 main types of comparison
Strict comparison (===)
Loose comparison (==)
Loose comparison compares only the value of the variable and not the type, it uses type juggling to try and predict the type of the variable
Strict comparison instead compares both the value of the variable and the type, it doesn't do any kind of type juggling since it also compares the type of the variable
these examples may work or not depending on the version of php that is currently in use
another peculiar example is :
Here PHP interprets boh the strings 10e3 and 1e4 as a scientific notation, PHP first converts this numbers into floats and the procedes with the comparison
Due to PHP juggling, when comparing hashes to another variable, if the hash starts with 0e it will again be interpreted as a scientific notation and it's value is going to equal to 0
You can find whole lists of magic hashes on various algorithms here : https://github.com/spaze/hashes
https://websec.fr/level10/index.php
a simple ctf challenge showcasing this kind of vulnerability
10e3 becomes
1e4 becomes
