Security Risks and Prevention Explained for PHP Operators
PHP Cheat Sheet and Prevention Explained - Part 2
Foreword: In this part of the series, I explain security risks with PHP operators and how to prevent them.
By: Chrysanthus Date Published: 29 Jan 2019
Introduction
Risks are weaknesses from PHP or from you the programmer, that you may ignore; and attackers (hackers) would take advantage of.
Float Number
In PHP, a float number is hardly represented in the computer at the exact precision that it is typed. So, do not trust the result of the equal (== or !=) and identical operator (=== or !==) when the two operands are floats. With relational operators (<, >, <= and >=) do not trust the result when the two floats are close in value. How close, for you not to trust, is difficult to tell from the way PHP represents floats.
Ternary Operator
It is recommended that you avoid "stacking" ternary expressions. PHP's behavior when using more than one ternary operator within a single statement is non-obvious. Avoid doing something like this:
$biggest = $a > $b ? $a : ($bigger = $c > $d ? $c : $d);
Comparison Operators
Loose Comparison Operators
Loose Comparison Operators are == and != and operate after type juggling.
Strict Comparison Operators
Strict Comparison Operators are === and !== .
The Array Union Operator, +
This operator uses loose comparison to return the union of two arrays.
With loose comparison (== and != array operators) the result may be unexpected. When in doubts, use strict comparison (=== and !== array operators), but beware of loose comparison for the keys.
As for the union array operator, +, just be careful as you use it; do not forget that it does loose comparison for the keys.
Operator Precedence
The expression,
2 + 5 * 3
is either evaluated as
(2 + 5) * 3
or
2 + (5 * 3)
That is, you either do the addition first or the multiplication (*) first. If you do the addition first you have 21; if you do the multiplication first, you have 17. PHP actually does the multiplication first and the answer is always 21. This is called, precedence: what operation is done first, what is done second, what is done third, and so on. When you are not sure of the sequence of operations in an expression, you can use brackets to force a sequence.
There is more to precedence: Consider the following:
2 + 5
You must have given the answer as 7. However, the computer does not work like that. The computer either evaluates the addition (operation) beginning from 5 to 2 or beginning from 2 to 5. With some operators, the answers are different from what you expect. Right-to-left evaluation is called right associativity. Left-to-right evaluation is called left associativity.
The following table lists the operators in order of precedence, with the highest-precedence at the top (descending downward). Operators on the same line have equal precedence, in which case associativity decides the order of evaluation.
Operator Precedence
Associativity Operators
non-associative clone, new
left [
non-associative ++, --
right ~, -, (int), (float), (string), (array), (object), (bool), @
non-associative instanceof
right !
left *, /, %
left +, -, .
left <<, >>
non-associative < ,<=, >, >=, <>
non-associative ==, !=, ===, !==
left &
left ^
left |
left &&
left ||
left ? :
right =, +=, -=, *=, /=, .=, %=, &=, |=, ^=, <<=, >>=, =>
left and
left xor
left or
left ,
That is it for this part of the series. We stop here and continue in the next part.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links