{ "slug": "type_coercion", "term": "Type Coercion", "category": "php", "difficulty": "intermediate", "short": "PHP's automatic conversion between types can produce unexpected comparison results, leading to logic bugs and security bypasses.", "long": "PHP's loose comparison operator == performs type juggling — '0e123' == '0e456' evaluates to true because both are treated as scientific notation floats equal to zero. This has historically enabled authentication bypasses in MD5 hash comparisons. Similarly, 0 == 'foo' is true in PHP 7 (though fixed in PHP 8). Use strict comparison (===) for all security-sensitive comparisons, enable strict_types, and be aware of how in_array() and array_search() behave without the strict parameter.", "aliases": [ "PHP type juggling", "implicit casting", "type coercion PHP" ], "tags": [ "php", "type-system", "security", "gotchas" ], "misconception": "PHP type coercion only affects comparisons. Type coercion also affects arithmetic, string concatenation, and function arguments in non-strict mode — \"5 apples\" + 2 equals 7, and passing \"42abc\" to an int parameter silently becomes 42.", "why_it_matters": "PHP's type juggling silently converts values between types — understanding coercion rules prevents security bypasses (type juggling attacks) and logic bugs caused by unexpected equality.", "common_mistakes": [ "Using == with mixed types — '0e1234' == '0e5678' is true (both are 0 in scientific notation).", "in_array() without the strict third parameter — in_array(0, ['a', 'b']) returns true in PHP 7.", "switch statements coercing types — switch('0') matches case false.", "Not enabling strict_types — PHP silently coerces string '42' to int 42 without it." ], "when_to_use": [ "Understand PHP's type coercion rules when working with legacy code that omits strict_types.", "Use explicit casting when you intentionally need a value in a specific type — (int)$_GET['page']." ], "avoid_when": [ "Avoid relying on implicit coercion for security checks — '0' == false == null under loose comparison.", "Do not use type coercion as a sanitisation strategy — cast after validating, not instead of validating." ], "related": [ "type_juggling", "strict_types" ], "prerequisites": [ "type_juggling", "strict_types", "defensive_programming" ], "refs": [ "https://www.php.net/manual/en/language.types.type-juggling.php", "https://owasp.org/www-community/vulnerabilities/PHP_type_juggling_vulnerabilities" ], "bad_code": "if (md5($input) == $storedHash) { /* bypass with '0e...' hashes */ }", "good_code": "if (hash_equals($storedHash, md5($input))) { /* constant time + strict */ }", "quick_fix": "Enable strict_types=1 in every file to prevent PHP from silently coercing '5abc' to 5 — without it, passing a string to an int parameter succeeds with unexpected results", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-31", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/type_coercion", "html_url": "https://codeclaritylab.com/glossary/type_coercion", "json_url": "https://codeclaritylab.com/glossary/type_coercion.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Type Coercion](https://codeclaritylab.com/glossary/type_coercion) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/type_coercion" } } } }