Parameter Manipulation Attacks

From SecurePHPWiki
Jump to: navigation, search

Because of PHP's weak typing and automatic type conversion, alternative representations of input parameters can foil validation checks (WACT).

<?php empty( '000' ); // returns false

if ( '000' == 0 )

   print( 'true' ); // prints true

?>

A zero string will convert to a numeric 0 (zero) if used in a numeric context.