3

I am checking the validation of the request with an if query,

if ($request_userid == $userid) {
...
}

Thats working as expected. But further testing has shown, that if $request_userid or $userid is 0 or "", then the condition is true and the script runs the if query but it shouldn't.

I am currently solving it with:

if ($userid == "" ) {
exit ("exit");
}

But I don't think that this is the right way?

Can you explain why it doesn’t work with the if query and what would be the correct way to check it?

Improve this question
0

4 Answers 4

Reset to default
4

Here is the PHP page on comparison operators.

You're using a loose comparison by using a double-equals sign. Change it to a triple equals sign and it will check by both type and value.

Also see this page on booleans & casting.

The reason '' == 0 evaluates to TRUE, is that the integer 0, when cast as a boolean, converts to FALSE. The empty string ('') also converts to FALSE. Therefore, your comparison ends up looking like if (false == false), which is true.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

So $a === $b would be correct? I tryed it already, but it doesnt make a difference. I get the same result as for ==. When i understand it right, then 12 == 21 would be true and with 12 === 21 it would be false, is that correct?
$a === $b is a valid way to write a conditional. 12 == 21 would be true, and 12 === 21 would also be true. But 12 === '21' would be false, because the '21' is a string and 12 is an integer. With strict comparison (===), the two variables must be equivalent AND they must be of the same type.
Thanks a lot - with if ($request_userid === "$userid") its working - just to be absolute sure - this is the correct way for checking? Sorry for asking again, i am pretty new with php.
There's no end-all "correct" way for checking. It depends on your use case. But usually, it's safer to check using strict comparison, to make sure you know what you're getting. But in some cases, you may want loose comparison. So it all depends.
1

You could use

if ($request_userid === $userid && $userid != "" )
Improve this answer

Comments

1

why it doesnt work with the if query?

Cause you are comparing types using the == comparison operator, then the type of "" and let's say $userid = "SpongeBob" will match.

what would be the correct way to check it?

Now if you use the === comparison operator you will compare equality, the you will be comparing if they are identical, and $userid = "SpongeBob" won't match with ""

Improve this answer

1 Comment

"SpongeBob" == "" should return false (even with loose comparison). Those are both strings, so no type-casting is needed.
1

Just change the logic to this:

if ((!empty($request_userid) && !empty($userid)) && ($request_userid === $userid)) {
...
}

The issue is 0 and null will always equal each other when you do == which compares between two different datatypes; i.e.: null and 0. But === ensures that both values have the same type. So 0 and null will never match with ===. And the !empty() checks are another level of validation ensuring that the === will never happen unless $request_userid and $userid are 100% not empty.

That said, the conditional you are using to solve this issue currently will work:

if ($userid == "" ) {
   exit ("exit");
}

But I would just recommend changing that to:

if (empty($userid)) {
   exit ("exit");
}

At the end of the day, this is not a kludge or messy but simply a way of dealing with the realities of validating user input.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.