When should you NOT use Type Coercion?

Avoid relying on implicit coercion for security checks — '0' == false == null under loose comparison. Do not use type coercion as a sanitisation strategy — cast after validating, not instead of validating.

When is Type Coercion the right choice?

Understand PHP's type coercion rules when working with legacy code that omits strict_types. Use explicit casting when you intentionally need a value in a specific type — (int)$_GET['page'].

← Back to glossary

Type Coercion

php CWE-704 OWASP A3:2021 CVSS 8.1 PHP 7.0+ Intermediate

Also Known As

PHP type juggling implicit casting type coercion PHP

TL;DR

PHP's automatic conversion between types can produce unexpected comparison results, leading to logic bugs and security bypasses.

Explanation

PHP's loose comparison operator == performs type juggling — '0e123' == '0e456' evaluates to true because both are treated as scientific notation floats equal to zero. This has historically enabled authentication bypasses in MD5 hash comparisons. Similarly, 0 == 'foo' is true in PHP 7 (though fixed in PHP 8). Use strict comparison (===) for all security-sensitive comparisons, enable strict_types, and be aware of how in_array() and array_search() behave without the strict parameter.

Common Misconception

✗ PHP type coercion only affects comparisons. Type coercion also affects arithmetic, string concatenation, and function arguments in non-strict mode — "5 apples" + 2 equals 7, and passing "42abc" to an int parameter silently becomes 42.

Why It Matters

PHP's type juggling silently converts values between types — understanding coercion rules prevents security bypasses (type juggling attacks) and logic bugs caused by unexpected equality.

Common Mistakes

Using == with mixed types — '0e1234' == '0e5678' is true (both are 0 in scientific notation).
in_array() without the strict third parameter — in_array(0, ['a', 'b']) returns true in PHP 7.
switch statements coercing types — switch('0') matches case false.
Not enabling strict_types — PHP silently coerces string '42' to int 42 without it.

Avoid When

Avoid relying on implicit coercion for security checks — '0' == false == null under loose comparison.
Do not use type coercion as a sanitisation strategy — cast after validating, not instead of validating.

When To Use

Understand PHP's type coercion rules when working with legacy code that omits strict_types.
Use explicit casting when you intentionally need a value in a specific type — (int)$_GET['page'].

Code Examples

✗ Vulnerable

if (md5($input) == $storedHash) { /* bypass with '0e...' hashes */ }

✓ Fixed

if (hash_equals($storedHash, md5($input))) { /* constant time + strict */ }

References

Tags

Added 15 Mar 2026

Edited 31 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

ChatGPT 136 Perplexity 14 Amazonbot 14 Google 6 Unknown AI 5 SEMrush 3 Ahrefs 2

Also referenced

Type Juggling 149 declare(strict_types=1) 30

How they use it

crawler 178 crawler_json 1 pre-tracking 1

Related categories

php 6.3k security 4k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Enable strict_types=1 in every file to prevent PHP from silently coercing '5abc' to 5 — without it, passing a string to an int parameter succeeds with unexpected results

📦 Applies To

PHP 7.0+ web cli queue-worker

🔗 Prerequisites

Type Juggling declare(strict_types=1) Defensive Programming

🔍 Detection Hints

fn(int $n) called with '5abc' silently truncating to 5 without strict_types; implicit bool→int coercion in arithmetic; comparison bugs from string→number coercion

Auto-detectable: ✓ Yes phpstan psalm rector

⚠ Related Problems

Type Juggling declare(strict_types=1) authentication bypass

🤖 AI Agent

Confidence: Medium False Positives: High ✗ Manual fix Fix: Medium Context: Function Tests: Update

CWE-704 CWE-697