On Sun, May 6, 2012 at 12:17 AM, Richard Lynch <[email protected]> wrote:
>> What exactly valid points? == is a converting operator, === is a
>> strict
>> operator. OK, in his favorite language it is not. Where exactly the
>> valid point is? Author goes at great lengths to refuse to make even a
>> slight mental effort to understand how it works (really, it's not that
>> hard) and then complains it's "useless". Well, a lot of things would
>> be
>> useless if you don't want to know how to use them.
>
> He has a few valid points in the part I read before I got bored...
>
> $a = "123ABF453..."; //a password
> $b = "123DFEABC..."; //another one
> if ($a == $b){
> //you're in.
> }
>
> Yes, one should have validated the input...
>
> But you don't have to be THAT naive to think that the hashed value of
> an SQL injection attack just isn't going to work, so it's "safe"...
>
> I'll bet I have some of these in my (recent) code, for that matter.
>
> On the other hand, if you accept type juggling, you have to expect the
> other cases he has for == being a bit strange.
Validated or not, why would type juggling even come into the picture
if both variables are of the same type?
123 == "123abc" // sure, why not
"61529519452809720693702583126814" ==
"61529519452809720000000000000000" // WAT?!
In the above, only the first ~50% of an md5 hash has to be correct.
This gets even worse for SHA256 hashes.