php: unsafe at any speed
Looks pretty harmless? Yet this file demonstrates exactly why php should not be used with data you care about.
- On the first line we divide a number by zero. Yes! And php will happily continue processing. We say division by zero is undefined in the true sense - you cannot define a result, any result, even an internal runtime tag denoting a undefined var. There is a warning on STDERR, but incredibly, php continues to run the script!
- Next we compare the result of division by zero to another variable with ==, an operator so incredibly wrong that it should be removed from the language. This "soft" equality evaluates the "not set" value on the lhs with a newly-appearing variable on the rhs that has not been assigned any value. The (strange and broken) semantics of == allows these to evaluate to be equal (!!). And what does php say about the fact that $t on the rhs was never declared? No problem! php will gladly accept an unknown variable and gin up some state for it. If $t ends up just being a mis-type of another properly initialized variable we meant to use here, oh well! You'll never know until it is too late. php -l won't tell you anything, because technically, the introduction of $t here is not an error according to php (!!)
- Finally we arrive at the place where I will be doing something to an important piece of data like your credit card number or your medical record. Yes, the code here is reached. It was reached after dividing a number by zero and then comparing that "result" to a variable that was never properly initialized!
It is truly frightening that users on the web have their valuable data handled by tools like this.
last update 2012-05-16