Web Application Security Guide/Comparison issues

Comparison issues

When comparing values, know the behaviour of your programming language. For example in PHP, "==" is a loose comparison that ignores the type and may give you unexpected behaviour. "===" is used for exact comparison. Using the wrong type of comparison can lead to security issues.

To prevent comparison issues

  • Know comparison types in your programming language and use the correct one
  • When in doubt (especially with PHP), use a strict comparison (PHP: "===")
  • When comparing strings for equality, make sure you actually check that the strings are equal and not that one string contains the other

Rationale

Using a too loose comparison can easily cause security issues. For example, in PHP, the following will evaluate to TRUE:

 "a97e8342f0" == 0

The hex string, which could be a token or hash, is automatically parsed as an integer, and as it starts with a letter and thus cannot be parsed, the result is 0.

Accidentally checking for strings being contained instead of checking for strings being equal can allow attackers to bypass e.g. whitelist checks.

Last modified on 25 November 2011, at 17:53