When PHP String Comparisons And Nonce Validation Go Wrong
In a recent article, I talked about nonces, what they are and their role in WordPress. This article stressed the importance of using nonces to help prevent XSS and CSRF attacks. Soon after that post was published I read about multiple security vulnerabilities in the extremely popular plugin W3 Total Cache. One of these vulnerabilities is the result of improper nonce validation. A nonce was not validated using the standard wp_verify_nonce() function. Instead, the nonce was validated using a == comparison. In this article, I’m going to cover string comparisons in PHP. Specifically some of the issues with string comparison, comparing hashes and why normal string comparison is not sufficient.
String Comparisons In A Dynamically Typed Language
Because PHP is a dynamically-typed language, we often need to deal with strings that represent integers or boolean values. For example, the string ‘1’ may represent the integer 1, or the boolean true.
To account for this, PHP and JavaScript provide both === and == comparisons. The === comparison takes into account data type and content, while the == comparison takes into account content only.
Take a look at this example:
Both conditionals
Source: https://managewp.org/articles/13694/when-php-string-comparisons-and-nonce-validation-go-wrong
source https://williechiu40.wordpress.com/2016/10/25/when-php-string-comparisons-and-nonce-validation-go-wrong/