{ "slug": "php_type_coercion_auth", "term": "Type Coercion in Authentication Checks", "category": "security", "difficulty": "advanced", "short": "PHP's loose comparison (==) coerces types — '0e123' == '0e456' (both 0 in scientific notation), and 0 == 'admin' — always use === for authentication comparisons.", "long": "PHP's == operator uses type juggling. Classic attacks: (1) Magic hash collision: two MD5 hashes starting with 0e (like 0e462097431906509019562988736854) are both '0' in scientific notation, making them == equal. (2) 0 == 'anything' because PHP coerces 'anything' to 0. (3) True == 'anything'. The fix: always use === (strict equality) for password, token, and hash comparisons. Use hash_equals() for timing-safe string comparison. PHP's password_verify() and hash_equals() are safe. Never compare hashes with == or strcmp().", "aliases": [], "tags": [ "php", "security", "authentication", "type-juggling" ], "misconception": "Using strcmp() for hash comparison is secure — strcmp() returns 0 (falsy) on match, but 0 == false in PHP, and it's vulnerable to timing attacks. Use hash_equals().", "why_it_matters": "Type coercion in authentication allows trivially bypassing password checks, token validation, and hash comparisons with crafted inputs.", "common_mistakes": [ "Using == to compare password hashes — magic hash bypass.", "Using strcmp() for security comparisons — timing attack + type coercion.", "Not using hash_equals() for HMAC verification." ], "when_to_use": [], "avoid_when": [], "related": [ "type_juggling", "hash_equals", "timing_attack", "weak_password_hash" ], "prerequisites": [ "type_juggling", "hash_equals" ], "refs": [ "https://www.php.net/manual/en/function.hash-equals.php", "https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection" ], "bad_code": "// Vulnerable: 0 == 'admin' is TRUE in PHP\nif ($token == $expectedToken) { /* bypassable */ }\n\n// Vulnerable: magic hash\n$hash = md5($password); // e.g. '0e123...'\nif ($hash == $storedHash) { /* 0e... == 0e... */ }", "good_code": "// Always strict comparison:\nif ($token === $expectedToken) { /* correct */ }\n\n// For timing-safe hash comparison:\nif (hash_equals($storedHash, $computedHash)) { /* safe */ }\n\n// For passwords, always use password_verify:\nif (password_verify($input, $storedHash)) { /* safe */ }", "quick_fix": "Replace all == with === for security comparisons. Use hash_equals() for hash comparison. Use password_verify() for passwords. Never compare tokens with strcmp().", "severity": "critical", "effort": "low", "created": "2026-03-22", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/php_type_coercion_auth", "html_url": "https://codeclaritylab.com/glossary/php_type_coercion_auth", "json_url": "https://codeclaritylab.com/glossary/php_type_coercion_auth.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Type Coercion in Authentication Checks](https://codeclaritylab.com/glossary/php_type_coercion_auth) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php_type_coercion_auth" } } } }