Boolean Logic and PHP Conditions with Security Concerns
Basics of PHP with Security Considerations - Part 6
Foreword: In this part of the series you will apply Boolean logic to PHP conditions; you will also learn how to prevent leaks and cheats so far as PHP conditions are concerned.
By: Chrysanthus Date Published: 30 Aug 2018
Introduction
Single Expression Example
Consider the following code:
<?php
$me = "tall";
if ($me == "tall")
{
echo 'I am tall';
}
?>
Read and try the code (you have to add the surrounding HTML elements first). In the condition, (parentheses of if) there is only one expression, which is, $me == "tall". If this expression results in true, the if-block will be executed. The above if-statement is equivalent to
if (true)
{
echo 'I am tall';
}
For this second if-statement to be executed, you do not need the creation of the variable and its assignment. Read and try the following code:
<?php
if (true)
{
echo 'I am tall';
}
?>
Let us look at a case where the condition results in false. Consider the following code:
<?php
$me = "short";
if ($me == "tall")
{
echo 'I am tall';
}
?>
The if-block (curly braces) in the above code will not be executed, because the condition results in false, since the value of the variable, $me, is “short” and not “tall”. The above if-statement is equivalent to:
<?php
if (false)
{
echo 'I am tall';
}
?>
The if-block can only be executed if the condition is true. In this last case it is not executed.
More than One Expression in Condition
You can have more than one expression in a condition. In this part of the series, I consider a maximum of two expressions in a condition. Each of the expressions results in true or false. The expressions are combined with the AND, OR or NOT operators. The AND operator is typed as, &&. The OR operator is typed as, || . The NOT Operator is typed as ! . &&, || , and ! are called logical operators. With logical operators, the rules in the previous part of the series can be rewritten as:
AND
(false) && (false) = false
(false) && (true) = false
(true) && (false) = false
(true) && (true) = true
OR
(false) || (false) = false
(false) || (true) = true
(true) || (false) = true
(true) || (true) = true
NOT
!(false) = true
!(true) = false
Double-Expression Examples
The if-block will not be executed in the following code:
<?php
if ((false)&&(true))
{
echo 'We are tall';
}
?>
A practical example for the above code is:
<?php
$you = "tall";
$me = "tall";
if (($you == "short")&&($me == "tall"))
{
echo 'We are tall';
}
?>
“tall” is assigned to the variable, $you, and also to the variable, $me. The first expression in the condition results in false and the second one results in true. (false)&&(true) gives false as the effective Boolean value for the condition. So the block is not executed.
The if-block will be executed in the following code:
<?php
if ((false)||(true))
{
echo 'Either of us is tall';
}
?>
A practical example for the above code is:
<?php
$you = "tall";
$me = "tall";
if (($you == "short")||($me == "tall"))
{
echo 'Either of us is tall';
}
?>
Read the above code. Try it. The first expression results in false; the second one results in true. The effective condition is true, since (false)||(true) gives true.
NOT Examples
The if-block will be executed in the following code:
<?php
if (!(false))
{
echo 'I am tall';
}
?>
The if-block is executed, if the condition is true. !(false) gives true. If the condition is false, the if-block will not be executed.
A practical example for the above code is:
<?php
$me = "tall";
if (!($me == "short"))
{
echo 'I am tall';
}
?>
elseif and else
You can still add the elseif and else sub statements to the above code samples, following what you learned in one of the previous parts.
I will use the single expression condition to explain the security issues here; the same applies to double, triple and more expression conditions.
A Boolean value is either TRUE or FALSE. However, 0, or '0' or null or '' (empty string) is equal to FALSE, but FALSE is not identical (equivalent) to 0, or '0' or null or ''. Also, 1 or -1 or '1' or '-1' or 'text' is equal to TRUE, but TRUE is not identical (equivalent) to 1 or -1 or '1' or '-1' or 'text'.
Now, in PHP, in a condition, it is not only the value that matters; the type of the value also matters. true or false is of type, Boolean.
0 is of type integer (whole number); it is equal to false but it is not identical to false. 1 or -1 is equal to true but neither of them is identical to true. In fact any number other than 0 (positive or negative number or fraction) is equal to true but not identical to true.
'0' or '' or "" is of type, string and each is equal to false but not identical to false. '1' or '-1' or 'text' is still of type, string but each is equal to true and not identical to true.
null is the only value of type, null. It is equal to false but it is not identical to false.
There is an operator call the identical operator. I will say more about the equal operator and the identical operator in a later part of this series.
We have done a lot for now. Let us take a break and continue in the next part of the series.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links