PHP Scalar Types
PHP Data Types with Security Considerations - Part 1
Foreword: In this part of the series, I talk about the scalar data types, which are the integer, float, string and Boolean types.
By: Chrysanthus Date Published: 16 Oct 2018
Introduction
Integer
An integer is a whole number, e.g. 0, 1, 2, 3, . . .10, 11, 12, . . .20, 21, 22, . . . etc. If you are owing somebody, $3, we say in math and programming that you have -$3; if you are owing $15, we say in programming (and math) that you have -$15; if you are owing $100, we say you have -$100.
So, an integer can also be a negative whole number, e.g. -1, -2, -3, . . .-10, -11, -12, . . .-20, -21, -22, . . . etc.
You can assign an integer to variable. Try the following code, where '<br>' simply sends the cursor to the next line down:
<?php
$var1 = 3;
$var2 = 21;
$var3 = 0;
$var4 = -3;
$var5 = -21;
echo $var1, '<br>';
echo $var2, '<br>';
echo $var3, '<br>';
echo $var4, '<br>';
echo $var5, '<br>';
?>
The output is:
3
21
0
-3
-21
Float
A float type is a number with a decimal part, e.g. 2.5 .
Here, you have 2, which is an integer. This is followed by the decimal point, and then the digit, 5. The combination forms a float number (data) type.
Notice the relationship between the decimal point and the powers of 10 between the following equivalent numbers:
2587 = 2587 X 100 , written as 2587e0 in PHP.
2587 = 258.7 X 101 , written as 258.7e1 in PHP.
2587 = 25.87 X 102 , written as 25.87e2 in PHP.
2587 = 2.587 X 103 , written as 2.587e3 in PHP.
Notice the relationship between the decimal point and the negative powers of 10 between the following equivalent numbers:
0.00726 = 0.00726 X 100 , written as 0.00726e0 in PHP.
0.00726 = 00.0726 X 10-1 , written as 00.0726e-1 in PHP.
0.00726 = 000.726 X 10-2 , written as 000.726e-2 in PHP.
0.00726 = 0007.26 X 10-3 , written as 0007.26e-3 in PHP.
Try the following code, where '<br>' simply sends the cursor to the next line down:
<?php
echo 2.5, '<br>';
echo '<br>';
echo 2587e0, '<br>';
echo 258.7e1, '<br>';
echo 25.87e2, '<br>';
echo 2.587e3, '<br>';
echo '<br>';
echo 0.00726e0, '<br>';
echo 00.0726e-1, '<br>';
echo 000.726e-2, '<br>';
echo 0007.26e-3, '<br>';
?>
The output is:
2.5
2587
2587
2587
2587
0.00726
0.00726
0.00726
0.00726
The output is correct.
Now, 586,423 is approximately equal to 586,000; 586,000 is less precise compared to 586,423 because of the absence of 423. 586,423 is approximately equal to 586,400; 586,400 is less precise compared to 586,423 because of the absence of 23. Now, 586,423 is approximately equal to 586,420; 586,420 is less precise compared to 586,423 because of the absence of 3. The less you replace digits with zeros on the right end of the number, the more precise the number you get.
Also, 0.92143 is approximately equal to 0.92000; 0.92000 is less precise compared to 0.92143 because of the absence of 143. 0.92143 is approximately equal to 0.92100; 0.92100 is less precise compared to 0.92143 because of the absence of 43. 0.92143 is approximately equal to 0.92140; 0.92140 is less precise compared to 0.92143 because of the absence of 3. The less you replace digits with zeros at the right end of the number, the more precise number you get.
All float numbers in PHP have some loss of precision. However, for most applications this lost of precision can be ignored.
Note that when you use an imprecise number in a calculation with another imprecise number, the resulting imprecision increases.
Some scientific work (and may be some financial work) need very good precision. In that case, do not use PHP float numbers directly. PHP has two sets of functions called, BC Math Functions and GMP Functions. When high precision is needed in your work, use functions from these sets.
String
A string is a series of characters. A Western European character occupies a space of 1 byte in the computer memory. A string literal is delimited by a pair of single quotes or a pair of double quotes. Try the following code:
<?php
$str1 = 'I like my job.';
$str2 = "I am a man of peace.";
echo $str1, '<br>';
echo $str2;
?>
Note the use of single and double quotes. If you are using single quotes, it must be a pair of single quotes. If you are using double quotes, it must be a pair of double quotes. You cannot mix both. The output is:
I like my job.
I am a man of peace.
Note: With the pair of double quotes, a variable within, expands (is replaced) to the value of the variable. A variable does not expand within single quotes. Try the following code:
<?php
$tf = 'twenty five';
$str = "I will give you $tf apples.";
echo $str;
?>
The output is:
I will give you twenty five apples.
Now, if you want a single quote within a string, place it in a double quoted string - see example below.
These quotation marks are not the ones from your word processor; they are the ones from your text editor. The ones from your word processor will not work.
A Boolean value is either true or false. Each of the values is case-insensitive. That is, true is the same as True, is the same as TRUE, is the same as tRuE, and so on. Also, false is the same as False, is the same as FALSE, is the same as fAlSe, and so on. However, variable names, be it for Boolean or integer or float or string or some other type, is not case-insensitive.
In the following code, in the first segment, if the in-condition is true, the if-block will be executed. In the second segment, if the condition is not false (i.e. true), the if-block will be executed.
<?php
$var1 = true;
if ($var1)
{
echo "Yes, I've been evaluated.", '<br>';
}
$var2 = false;
if (!$var2)
{
echo "Yes, I've been evaluated too.", '<br>';
}
?>
Note the use of the NOT operator in (!$var2). The output is:
Yes, I've been evaluated.
Yes, I've been evaluated too.
Note the single quote within double quotes, for the output.
Values in Quotes
A number, be it an integer or float, may or may not be within a pair of single or doube quotes. You are advised not to be putting them in quotes.
However, a Boolean value within a pair of quotes is no longer a Boolean value. That is, 'true' or 'false' is no longer a Boolean value; each is a string. In fact each is equivalent to true.
The is_type Functions
The is_int() Function
The is_int() or is_integer() function takes a value and returns Boolean true if the value is an integer or Boolean false if the value is not an integer. Try the following code:
<?php
$var1 = 57;
$var2 = 9.63;
$var3 = true;
$var4 = 'some chars';
if (is_int($var1))
echo 'it is integer', '<br>';
else
echo 'it is not integer', '<br>';
if (is_int($var2))
echo 'it is integer', '<br>';
else
echo 'it is not integer', '<br>';
if (is_int($var3))
echo 'it is integer', '<br>';
else
echo 'it is not integer', '<br>';
if (is_int($var4))
echo 'it is integer', '<br>';
else
echo 'it is not integer', '<br>';
?>
The output is:
it is integer
it is not integer
it is not integer
it is not integer
The is_float() function takes a value and returns Boolean true if the value is a float or Boolean false if the value is not a float. Try the following code:
<?php
$var1 = 2587e0;
$var2 = 43;
$var3 = true;
$var4 = 'some chars';
if (is_float($var1))
echo 'it is float', '<br>';
else
echo 'it is not float', '<br>';
if (is_float($var2))
echo 'it is float', '<br>';
else
echo 'it is not float', '<br>';
if (is_float($var3))
echo 'it is float', '<br>';
else
echo 'it is not float', '<br>';
if (is_float($var4))
echo 'it is float', '<br>';
else
echo 'it is not float', '<br>';
?>
The output is:
it is float
it is not float
it is not float
it is not float
Note: a number in standard form, even without a decimal point, is a float number in PHP.
The is_string() Function
The is_string() function takes a value and returns Boolean true if the value is a string or Boolean false if the value is not a string. Try the following code:
<?php
$var1 = 'some chars';
$var2 = 43;
$var3 = true;
$var4 = 2587e0;
if (is_string($var1))
echo 'it is string', '<br>';
else
echo 'it is not string', '<br>';
if (is_string($var2))
echo 'it is string', '<br>';
else
echo 'it is not string', '<br>';
if (is_string($var3))
echo 'it is string', '<br>';
else
echo 'it is not string', '<br>';
if (is_string($var4))
echo 'it is string', '<br>';
else
echo 'it is not string', '<br>';
?>
The output is:
it is string
it is not string
it is not string
it is not string
The is_bool() Function
The is_bool() function takes a value and returns Boolean true if the value is a bool or Boolean false if the value is not a bool. Try the following code:
<?php
$var1 = false;
$var2 = 43;
$var3 = 'some chars';
$var4 = 2587e0;
if (is_bool($var1))
echo 'it is bool', '<br>';
else
echo 'it is not bool', '<br>';
if (is_bool($var2))
echo 'it is bool', '<br>';
else
echo 'it is not bool', '<br>';
if (is_bool($var3))
echo 'it is bool', '<br>';
else
echo 'it is not bool', '<br>';
if (is_bool($var4))
echo 'it is bool', '<br>';
else
echo 'it is not bool', '<br>';
?>
The output is:
it is bool
it is not bool
it is not bool
it is not bool
Insecurity
The maximum size of integer depends on your operating system.
If PHP encounters an integer that is larger than the maximum size, it converts the number to float, and by so doing introduces imprecision. Also, an operation which results in a number beyond the bounds of the integer type will return a float instead, with imprecision of the float.
To avoid this, do not operate beyond the maximum value of integer for your device. To know the maximum integer value for your device, use the PHP_INT_MAX constant as follows:
<?php
$var = PHP_INT_MAX;
echo $var;
?>
There is no integer division operator in PHP. The division of 2 integers result in a float, with imprecision of the float. To work-around this, use the Arbitrary Length Integer / GMP functions (of PHP). I will not address these functions in this volume. So consult some other documentation for that.
Float
The main problem with float is the imprecission. Because of imprecision, the following expression will yield a value towards 7 instead of 8 as expected:
((0.1+0.7)*10)
For high precision, use the arbitrary precision math functions and the GMP functions. I will not address these functions in this volume. So consult some other documentation for that.
There are other insecurities about scalar data types, which I will address in other series, of this volume.
Let us stop here, for this part of the series and continue in the next part.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links