re: JavaScript has numerous similar oddities, that could lead to unwanted behaviour when the code is written by someone who doesn't know the language: ...

JS is a good comparison because it's a really strong amateur language as well. And I'm not saying that it has no issues but rather that PHP makes very dangerous things very easy to do.

Of course, PHP improved a lot and many low-hanging fruits have been fixed. However let's have a look at this security issue form phpBB back in 2005. Yes it's old and yes a linter would fix it. But if someone wrote that code today the issue would still be there.

If you take the code, it goes like this (in short):

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

$auto_login_key = $userdata['user_password'];

if( $sessiondata['autologinid'] == $auto_login_key )
    // You're admin

So yes the stripslashes() is a funny reminder of a time that is actually over since PHP managed to get rid of magic_quote_gpc but that's not the point.

Some raw data from the user goes through unserialize(). Which means that $sessiondata['autologinid'] is from any type that the user deems. On the other hand, $auto_login_key is a string.

To answer your question, who would compare 0 to a string? Well, some hacker using unforseen side-effects in some code that looks very reasonable otherwise. Putting 0 in autologinid is equivalent to writing:

// Before implicit cast
if( 0 == "somekey" )

// After implicit cast
if ( 0 == 0 )

You're going to tell me that now we have JSON and frameworks and many wonders that help us not do this kind of things. But if you never saw a junior write a $_GET in some Laravel/Symfony code then you have not been looking. And the same goes for all protections brought by these frameworks, they are just too easy to bypass.

Now to be honest I don't like PHP and I don't like JS (especially on the back-end) so that's really more of an anti-PHP argument than a pro-Node one.

Code of Conduct Report abuse