User Tools

Site Tools


PHP Specific Flaws

Sept 2012


Not an consistent way of returning results for some functions, (as **strpos**)

strpos() returns FALSE when search is not succesful, otherwise integer. If you compare it using == operator, you'll get into trouble.

strpos returns False evaluated wrongly to 0

$haystack = "ABC";
$needle = "D";
$pos = strpos($haystack, $needle);
echo $haystack[$pos]; // it will print wrongly A

No built-in accelerators

Because every time PHP is recompiling the page, you might need an “accelerator” implemented separately to improve the performance.

Register globals

They are removed starting with 5.4, and they have been turned off for a long time. Constant source of insecurity in the past.

Not every construction is a function

array() is not a function, there is no int() but (int) and also its alias, (integer)
The same for (bool), (boolean), etc. echo, empty is also not a function


Type-coercing comparison operators will convert numeric strings to numbers

If you compare:

- a number with a string

Compare a number with a string

$a = 0;
$b = "true";
var_dump($a == $b); // it gives true
"12" -> 12
"12a" -> 12
"a12" -> 0
"12a13" -> 12

- the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.

Wrong comparison

$a = "1234567890123456789012345678901234567890";
$b = "1234567890123456789000000000000000000000";
var_dump($a == $b); // it will give you TRUE which is WRONG!



Variables names are case sensitive, functions and class names aren't.

Difference between elements names

class Test
    protected $one_var = 1;
    protected $ONE_VAR = 2;
    public function __construct()
        echo $this->one_var."\n"; // valid
        echo $this->ONE_VAR."\n";
$ob = new Test();

Try to add

Methods names aren't case sensitive

    public function one_method() {}
    public function ONE_METHOD() {}
and you'll get: “Cannot redeclare…”


Less (more) than ... operator (no safe version)

Different results for similar operations

$a = "123";
$b = "0124";
var_dump($a < $b) -> it will give True, so "string $a is less than string $b"
strcmp($a, $b) -> it will say "string $a is greated than string $b"

Concatenation and Addition

In case of two strings, + operator is not overloaded! Point is always used for concatenation.


For an array you can use [] or {} to address an element ($a[12], $a{12}).

[] Operator can address any variable, but it doesn't issue an error (only a Notice).

$a = 12; var_dump($a[1]); it will display NULL!

Ternary operator is LEFT-to-RIGHT associative

Unlike other programming languages.

Ternary is left to right

$choice = 1;
$result = ($choice == 1) ? 'Yes' :
          ($choice == 2) ? 'No' : 'Maybe';
var_dump($result); // it will return No instead of Maybe


Functions names

Functions names are very inconsistent: strpos but str_pad, urlencode but base64_encode
For arrays, some functions start with array_*, others don't.

No module system

- extensions are specified in php.ini and loaded in the global namespace

Argument order not consistent

array_filter($input, $callback) versus array_map($callback, $input)
strpos($haystack, $needle) versus array_search($needle, $haystack)

Heavily based on C modules

Large portions of PHP are just wrappers around C functions.

Confusing naming (//vsprintf// and //sprintf//)

If the function accepts an array of arguments, rather than a variable number of arguments, then we got two very similar version of the same thing (vprintf versus printf, the same with sprintf)

Confusion for similar functions

explode and str_split (the difference is that explode accepts a separator)

Confusing returned results


On some older UNIX platforms, it may not be able to determine the current OS information in which case it will revert to displaying the OS PHP was built on.

Not a standard way to access database

Three modes (for mysql for example): mysql extension, mysqli extension, PDO abstraction


php/specific_flaws.txt · Last modified: 2013/03/16 17:40 (external edit)