I love PHP, is fast to develop, it has many useful built-in features, can be extended with C modules, Arrays are wonderful and saves a lot of time from data-type conversion, but there are certain problems that you should know and that you should be aware of.
There are wonderful posts that mention a lot of issues with PHP, in this article I mention only the stuff I’ve not seen around.
I recommend you reading this wonderful post about the bad design on PHP:
‘string’ == 0 is (often) true
This is something everyone has fell some times. And still see a lot of code on GitHub and in my new Teams when I go to a project that fall to that problem.
PHP is “clever” transforming the type of data to compare it. This allow to produce code much faster (try to parse floats in Java or C++ in web projects) but also leads to problems some times.
So if your developers write a code like this, that gets the income sent from a web form:
$s_income = $_POST['income'];
if ($s_income == 0) {
// The guy is poor, save to the evil CRM database as no interesting person...
// ...
}
That will fail detecting as 0 if someone enters in the texbox ‘milions’ or ‘$100000’.
The solution would be to check if $s_income is empty, and if is not empty but intval($s_income) is 0, request the user to reinput only with numeric values.
Another example. Imagine that you have a program that reads a CSV file, that has addresses. For example seven lines:
Facebook,Hacker Way,1,Menlo Park,94025,CA Amazon,2nd Avenue,,1516,WA Microsoft Corporation,One Microsoft Way,0,,WA Apple,Infinite Loop, 1,Cupertino,95014,CA Twitter,Market Street, 1355,,,CA Netflix,Winchester Circle,one hundred,Los Gatos,95032,CA Cmips,,0-1,Palo Alto,,CA Fake Address,Nowhere,Building 5,Silicon Valley,,CA
CSV may contain errors, as most of times the data comes from data input manually at some moment or entered by users via web.
So your code reads it, puts each field in an array field as string, and you can use it.
Let’s assume that our buggy code looks for a 0 in the number, and then performs some action like setting a boolean to FALSE in the database or whatever.
Something like:
<?php
$i_row = 0;
if (($o_handle = fopen("addresses.csv", "r")) !== FALSE) {
while (($st_data = fgetcsv($o_handle, 1000, ",")) !== false) {
$i_row++;
$i_num_fields = count($st_data);
$s_company_name = $st_data[0];
$s_street = $st_data[1];
$s_number = $st_data[2];
if ($s_number == 0) {
// The address has no number
// Do something real...
echo 'Row: '.$i_row.' '.$s_company_name.' The address has no number! read ('.$s_number.')'."\n";
} else {
echo 'Row: '.$i_row.' '.$s_company_name.' number '.$s_number.' found!'."\n";
}
}
fclose($o_handle);
}
And this is the result:
Look at the results:
| Expression | Result by PHP |
|---|---|
| ‘1’ == 0 | FALSE |
| ” == 0 | TRUE |
| ‘ ‘ == 0 (space) | TRUE |
| ‘ 1’ == 0 (space and 1) | FALSE |
| ‘ 1355’ == 0 (space space and 1355) | FALSE |
| ‘one hundred’ == 0 | TRUE |
| ‘0-1’ == 0 | TRUE |
| ‘Building 5’ == 0 | TRUE |
If you do ‘one string’ == 0 it returns TRUE, but, the mechanichs of why that happens are curious, capricious and quasi-random.
Normally the mechanichs are: PHP sees that has to evaluate a string to a number and converts the string to a number via intval, so ‘ 1355’ == 0 is true because intval(‘ 1355’) returns 1355. Please note that ‘ 1355’ has two spaces.
Ok. That explains everything, but still is dangerous because ‘Building 5’ == 1 returns FALSE but ‘Building 5’ == 0 returns TRUE, so most Junior developers (and many self-called Seniors) will use that instead of ‘Building 5’ === ” empty string.
This is funny, but is more funny when we introduce another line to the CSV:
Fake Address outside US,Somewhere,.1,Andorra,AD100,Andorra
Here we introduced dot one ‘.1’ and when run the program it detects as a number, so is not doing intval(‘.1’) but floatval(‘.1’) that returns 0.1
I introduced a postal code from Andorra because they start with ‘AD’, so ‘AD100’ in the example.
This is to demonstrate that our program would have detected the Postal Codes from US as numbers, but when used to deal with data from other countries would had failed as ‘AD100’ == 0 TRUE.
So always use === to check the type also and do the intval.
In this sample:
if ( !empty($s_postal_code) && intval($s_postal_code) === 0) {
// Wops! The postal code is there but is not a number
}
Also to check the input data to be sure that match the requirements, would have discovered future weird cases like postal codes with letters. Sample:
if (intval($s_postal_code) != $s_postal_code) {
// Wops! The code is not only numeric
}
Many professional people has explained the crazyness about that magic conversion and ‘string’ == 0, so I will not use more time.
Other crazy results
| EXPRESSION | RESULT BY PHP |
|---|---|
| ‘1’ == ‘ 1’ (space and 1) | TRUE |
| ‘1’ == ‘ 1) (several spaces and 1) | TRUE |
| ‘1’ == ‘+1’ (plus sign and 1) | TRUE |
| ‘-1’ == ‘ -1’ (spaces and -1) | TRUE |
| ‘-1’ == ‘ -1.00’ (spaces -1 dot 00) | TRUE |
| ‘-1’ == ‘ -1.000000000000001’ | FALSE |
| ‘-1’ == ‘ -1.000000000000000000000000000000000000000000000001’ | TRUE |
| ‘1.0’ == ‘1.000000000000000’ | TRUE |
| ‘1e10’ == “1000000000” | TRUE |
| ‘1e1’ == “0x0A” | TRUE |
| -1 == ‘ -1’ (integer -1 equal to string with spaces and -1) | TRUE |
So if you register in a PHP system with username 12345 you will be able to login later by entering [space][space][space][space][space]+12345.00000000 or if you pick an username like 1000000000 you’ll be able to login just by entering 1e10 (what could be very bad if there is another user in the system with username 1e10).
So always use the === to check values.
The “amazing” world of ++
Try to add ++ to an string, and to a string that contains decimal symbols…
The ‘horrible’, the floats
As the PHP documentation page says:
Warning
Never cast an unknown fraction to integer, as this can sometimes lead to unexpected results.
So yes…
It is shocking that var_export and var_dump show different values, but more shocking is to get this:
php > $i_valor_float = 81.60;
php > echo intval($i_valor_float * 100).”\n”;
And getting 8159
If you are and e-commerce or a bank losing cents you’ll not be happy.
In fact, the TPV Visa payment for Sermepa is as buggy as:
//-////////////////////////////////////////////
//desc: Asignamos el importe de la compra
//param: importe: total de la compra a pagar
//return: Retornamos el importe ya modificado
public function importe( $importe = 0 )
{
$importe = $this->parseFloat( $importe );
// sermepa nos dice Para Euros las dos últimas posiciones se consideran decimales.
$importe = intval( $importe*100 );
You will have to do some workaround, use strval instead of intval:
php > $i_value_float = 81.60;
php > echo intval($i_value_float * 100).”\n”;
8159
php > echo (9000 – intval($i_value_float * 100)).”\n”;
841
php > echo strval($i_value_float * 100).”\n”;
8160
php > echo (9000 – strval($i_value_float * 100)).”\n”;
840
So in the Sermepa’s code you can do:
$importe = strval($importe*100);
Or:
$importe = intval(strval($importe*100));
Float offers so bizarre scenarios like (code copied from contribution in PHP.net help):
$x = 8 – 6.4; // which is equal to 1.6
$y = 1.6;
var_dump($x == $y);
More funny is to do:
echo $x-$y;
You get:
-4.4408920985006E-16
More information on PHP float here: http://php.net/manual/en/language.types.float.php
Arrays keys being overwritten – part 1
As you know the arrays in PHP can be numeric or string.
As described in PHP documentation about arrays:
The key can either be an integer or a string. The value can be of any type.
Additionally the following key casts will occur:
- Strings containing valid integers will be cast to the integer type. E.g. the key “8” will actually be stored under 8. On the other hand “08” will not be cast, as it isn’t a valid decimal integer.
- Floats are also cast to integers, which means that the fractional part will be truncated. E.g. the key 8.7 will actually be stored under 8.
- Bools are cast to integers, too, i.e. the key true will actually be stored under 1 and the key false under 0.
- Null will be cast to the empty string, i.e. the key null will actually be stored under “”.
- Arrays and objects can not be used as keys. Doing so will result in a warning: Illegal offset type.
If multiple elements in the array declaration use the same key, only the last one will be used as all others are overwritten.
But take a look to the following code:
<?php
$st_array = Array('+1' => 'This is key +1',
'*1' => 'This is key *1',
'-1' => 'This is key -1');
var_dump($st_array);
Look at the dump:
So key of the type string ‘-1’ has been converted to integer key -1.
Fut funny, ‘+1’ has been kept as string ‘+1’. If you do:
echo intval(‘+1’);
You get integer 1. So what is the exact function used to check the key to know if it can be casted to integer remains a mistery.
Arrays keys being overwritten – part 2
Taking the CSV sample file from before, and using the Postal Codes one may notice another problem.
When we load the postal code ‘94025’ it is added to the array as integer key, not string key.
This is a problem if we do an array_merge, because:
Values in the input array with numeric keys will be renumbered with incrementing keys starting from zero in the result array.
Creating an array with key string postal code and merging with another array of postal codes will cause the loss of the index. That is very bad.
There are much more problems.
In Barcelona we have many postal codes starting with 0 like ‘08014’, so those will remain as string key. As said in Andorra there are like ‘AD100’.
So if we have a program like that:
<?php
$st_array = Array( '08014' => 'Postal code from Barcelona, Catalonia',
'94025' => 'Postal code from Menlo Park, California',
'AD100' => 'Postal code from Andorra');
ksort($st_array);
var_dump($st_array);
We will get:
So we got the string sorted, and later the numeric keys sorted. So bad, as ‘08014’ would be expected to be before ‘94025’, but as the last was casted o integer and the first kept as string key, that caused a bizarre result in our postal code sorting program.
That can be very annoying in many cases, imagine you read a fixed length CSV file or you read from a Webservice, XML or databases the age of people stored with 2 digit so ’10’ means ten years old, ’99’ ninety-nine, etc… you will have the guys from 0 to 9 years old (00 to 09) kept as string, while the others as number. Now do an array_merge with another array and the mess is served.
I recommend adding a character infront of your keys to ensure that cast will not be produced, so use ‘C94024’ and ‘C08014’ and ‘CAD100’… Sort algorithms will work, and you will avoid the problems derivated from merging and sorting keys casted to numeric.
Bizarre behaviour on Boolean execution
Some Sysadmins are used to constructions like this in their bash scripts and Python:
true && do_something(); // This evaluates the first part always and then executes do_something();
file_exists(‘/tmp/whatever’) || touch(‘/tmp/whatever’); // If file_exist returns false so then the second part is executed and the file is created
Although I never found documented this way of executing in PHP, it works, and for sure you have seen samples like that:
$result = mysql_query('SELECT foo FROM bar', $o_db) or die('Query failed: ' . mysql_error($o_db));
When working Contractor I found a project using it. It was an habit from the CEO, that came from Systems branch. He had more bad habits like no documenting, programming with vim and refactoring the code of my Team during the weekends with bash replace commands (that caused conflicting variable names, methods, etc…). (* I know is weird that a CEO changes the code but believe me, companies do a lot of crazy things)
He told me that he thought that less lines of code meant more clever developer, and so he was always refactoring clear code to this Boolean a-like execution.
Using that style is bad. It doesn’t allow proper error handling, nor a flux of execution clear nor raising exceptions.
I shown him that this works not like he thought and found samples that crashes the thing:
Trying to throw an exception breaks:
true && throw new Exception('Hello');
If using echo, it breaks:
So it’s really a bad PHP design.
This behaviour is also funny:
So passing by reference an undefined index, causes it to be created with null without any warning.
I found that in the passing variables documentation, in a contributed comment from 10 years ago!. Still happens with PHP 5.5.
More samples:
