Broad Network


Types to String and Strings to Numbers in PHP

PHP String with Security Considerations - Part 10

Foreword: In this part of the series I talk about Types to String and Strings to Numbers in PHP.

By: Chrysanthus Date Published: 29 Oct 2018

Introduction

This is part 10 of my series, PHP String with Security Considerations. In this part of the series I talk about Types to String and Strings to Numbers in PHP. You should have read the previous parts of the series before coming here, as this is the continuation.

Recall
The main types in PHP are scalar types (integer, float, Boolean, string), compound types (array, object), special types (resource, NULL), pseudo types (mixed, number). There are new types, which are callable, iterable, void and array|object. I address these new types later in the series.

Converting to String
You can convert a type to a string using, the (string) cast operation.

Converting Boolean to String
The Boolean true changes to the string, '1' and the Boolean false changes to the empty string, ''. "" and '' are the same thing, empty string. Try the following code:

<?php

    $on = (string)true;
    $off = (string)false;

    if ($on === '1')
        echo "true becomes '1'", '<br>';

    if ($off === '')
        echo 'false becomes the empty string', '<br>';

?>

Note the way the cast operation has been coded.

The output is:

    true becomes '1'
    false becomes the empty string

Converting Number to String
An integer or float can be converted to a string by using the (string) cast operation. The result is a number with indirect quotes. Try the following code:

<?php

    $thr = (string)3;
    $tpf = (string)2.5;

    if ($thr === '3')
        echo "3 is now a string", '<br>';

    if ($tpf === "2.5")
        echo '2.5 is now a string', '<br>';

?>

Note the way the cast operation has been coded. Also note that it does not matter, whether you compare it with single or double quotes.

The output is:

    3 is now a string
    2.5 is now a string

Converting NULL to String
You can convert the null value to a string using the (string) cast operation. NULL becomes the empty string. Try the following code:

<?php

    $nl = (string)NULL;

    if ($nl === '')
        echo "NULL becomes the empty string.", '<br>';

?>

Note the way the cast operation has been coded.

The output is:

    NULL becomes the empty string.

Converting Array to String
An array is converted to string in a poor way. PHP just returns the word, Array. Try the following code:

<?php

    $myArr = array("foo" => "bar", 1 => "fooo");

    $arrStr = (string)$myArr;

    if ($arrStr === 'Array')
        echo 'Just the word, Array.', '<br>';

?>

Note the way the cast operation has been coded.

The output is:

    Just the word, Array.

Converting Object to String
In order to convert an object to a string, the magic method, __toString must be used; see later.

Converting Resource to String
A resource is converted to a string to have something like "Resource id #1", where 1 is the resource number assigned to the resource by PHP at runtime. Try the following code, replacing 'temp.txt' with an actual file:

<?php

    $handle = fopen('c:/temp.txt', 'r');

    $res = (string)$handle;

    echo $res;

?>

I tried it in my computer, and I had:

    Resource id #3

Implicit Conversion
A value can be converted to a string using the (string) cast or the strval() function. String conversion is automatically done in the scope of an expression where a string is needed. This happens when using the echo or print functions, or when a variable is compared to a string.

Conversion from String to Number
A number is an integer or a float.

A float string contains any of the characters '.', 'e', or 'E'. . is the decimal point. e or E mean "raised to the power".

If a number is just enclosed by quotes, it would be evaluated to the number. So,

'10' would become 10
'10.5' would become 10.5
'1.2e3' would become 1299 (approximately 1200)

If a number is preceded by whitespaces and all enclosed by quotes, it would be evaluated to the number. So,

'  10' would become 10
'  10.5' would become 10.5
'  1.2e3' would become 1299 (approximately 1200)

If a string begins with a number and then followed by whitespaces and/or words, it would be evaluated to the number. So,

'26bid' would become 26

If a string begins with whitespaces only and is followed by a number, and then followed by whitespaces and/or numbers, it would be evaluated to the first number. So,

'  26bid' would become 26

Whether a string begins with whitespaces or not, if the string has a number preceded by non-digits, the string would be evaluated to zero. So

'bid26' would become zero depending on the context.
'  bid26' would become zero depending on the context.

If a string begins with whitespaces only and is followed by a number, and then followed by whitespaces and/or non-digit characters and/or numbers, it would be evaluated to the first number. So,

'10.5 pigs and 34 goats' would become 10.5
'  10.5 pigs and 34 goats' would become 10.5

Try the following code, where (integer) cast and (float) cast operations are used:

<?php

    $inte = (int)'10';
    echo $inte, '<br>';
    $flt = (float)'10.5';
    echo $flt, '<br>';
    $flt = (float)'1.2e3';
    echo $flt, '<br>';
    $inte = (int)'  10';
    echo $inte, '<br>';
    $flt = (float)'  10.5';
    echo $flt, '<br>';
    $flt = (float)'  1.2e3';
    echo $flt, '<br>';
    $inte = (int)'26bid';
    echo $inte, '<br>';
    $inte = (int)'  26bid';
    echo $inte, '<br>';
    echo '<br>';
    $inte = (int)'bid26';
    echo $inte, '<br>';
    $flt = (float)'  bid26';
    echo $flt, '<br>';
    echo '<br>';
    $inte = (int)'10.5 pigs and 34 goats';   //becomes 10 because of (int) cast
    echo $inte, '<br>';
    $flt = (float)'  10.5 pigs and 34 goats';
    echo $flt, '<br>';

?>

The output is:

10
10.5
1200
10
10.5
1200
26
26

0
0

10
10.5

Within double quotes interpolation takes place. Note from the third line of the result that interpolation still takes place for a NUMBER, within single quotes. Try the following code:

<?php

    if (26 == '  26bid')
        echo 'same', '<br>';

    if (2.5 == '2.5')    //float comparison is not recommended
    echo 'same, though float comparison is not recommended';

?>

The output is:

    same
    same, though float comparison is not recommended

So, the string is first converted to a number before being compared. Note that === in the above two conditions, would result in FALSE, because the pairs are of different types.

That is it for this part of the series. We stop here and continue in the next part.

Chrys


Related Links

Basics of PHP with Security Considerations
White Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links

Cousins

BACK NEXT

Comments