May 15, 2023

Level 23

PHP function authorize failing using strict comparator - PHP for beginners

I'm a newbie in need of some help!

Both 'user_id' and 'id' are of type integer in the database tables

I'm matching 'user_id' with 'id' to validate the creator of a simple note. The following code snippet will always return the 403 not authorized, using the strict operator ===

authorize($note['user_id'] === $currentUserId);

... but it will return the expected result if I use the comparison ==

This is returned from dd($currentUserId);

int(2)

...and this is returned with dd($notes);

[0]=> array(3) { ["id"]=> string(2) "26" ["body"]=> string(17) "Keep Learning PHP" ["user_id"]=> string(1) "2" }

The ["id"]=> string(2) "26" , is the id of the posted note. $currentUserId = 2; is hardcoded for now as '2'.

I don't understand why it's failing with ===

or if the value being passed as a string, or as an integer?

The following code will not trigger the 403 error

// note.php
<?php

$config = require('config.php');
$db = new Database($config['database']);

$heading = 'Note';

// hardcode user 'id' to allow viewing the notes created by that user id //

$currentUserId = 2;

    $note = $db->query('select * from notes where id = :id', [
    'id' => $_GET['id']]
    )->findOrFail();

    // dd($currentUserId); //

authorize($note['user_id'] == $currentUserId);

// dd($id); //

require "views/note.view.php";

// notes.php
<?php

$config = require('config.php');
$db = new Database($config['database']);

$heading = 'My Notes';

// lists  what notes are created by user_id =  ' //

$notes = $db->query('select * from notes where user_id = 2')->get();

// dd($notes); //

require "views/notes.view.php";

// functions.php
<?php

function dd($value)


{
    echo "<pre>";
    var_dump($value);
    echo "</pre>";
    die();
}
function urlIs($value) {
    return $_SERVER['REQUEST_URI'] === $value;
    
}
  
function authorize($condition, $status = Response::FORBIDDEN) {
    if (! $condition) {
        abort($status);

    }
}

// Database.php
<?php

class Database
{
    public $connection;
    public $statement;

    public function __construct($config, $username = 'root', $password = '')
    {
        $dsn = 'mysql:' . http_build_query($config, '', ';');

        $this->connection = new PDO($dsn, $username, $password, [
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
        ]);
    }

    public function query($query, $params = [])
    {
        $this->statement = $this->connection->prepare($query);

        $this->statement->execute($params);

        return $this;
    }

        public function get()
    {
        return $this->statement->fetchAll();
    }

    public function find()
    {
        return $this->statement->fetch();
    }

    public function findOrFail()
    {
        $result = $this->find();

        if (! $result) {
            abort();
        }
//dd($result);
        return $result;
    }
}

LaryAI

3 years ago

Level 58

The issue is that the 'user_id' and 'id' values are being compared as different types. The 'user_id' value is being retrieved from the database as a string, while the $currentUserId value is an integer. When using the strict comparison operator (===), the types must match as well as the values. Therefore, the comparison will fail.

To fix this issue, you can cast the 'user_id' value to an integer before comparing it to $currentUserId. You can do this using the intval() function. Here's an example:

authorize(intval($note['user_id']) === $currentUserId);

This will cast the 'user_id' value to an integer before comparing it to $currentUserId, ensuring that both values are of the same type.

Alternatively, you can also cast $currentUserId to a string before comparing it to 'user_id'. Here's an example:

authorize($note['user_id'] === strval($currentUserId));

This will cast $currentUserId to a string before comparing it to 'user_id', ensuring that both values are of the same type.

Snapey

3 years ago

Level 122

what column type is user_id in the notes table? Maybe you just need to fix your migration?

pdonahu1

3 years ago

Level 23

Thanks, Snappy!

The column type for user_id in the notes table was set for type int(11), Using / adding the intval() function put me back in business. I'm dangerously new at this stuff, and just wasn't sure if I was interpreting the dump / die correctly as it appeared to be a string?

Even though both the notes table and users table have 'user_id', and 'id' of type integer, and passed the same value - the following code didn't work:

authorize($note['user_id'] === $currentUserId);

This did work:

authorize(intval($note['user_id']) === $currentUserId);

newbie360

3 years ago

Level 24

@pdonahu1 $note['user_id'] is string, $currentUserId is int, so use === return false

Snapey

3 years ago

Level 122

@pdonahu1 I'm asking about the column type because I'm puzzled why eloquent is returning a string for the note user_id it should be returning an int.

You could explicitly cast it in the model

Edit: Oh I see now .... You are not using Eloquent so all the affordances I take for granted as part of the framework are not available to you. Is this a Laravel project? Why are you not using query builder or Eloquent?

pdonahu1

3 years ago

Level 23

@Snapey I'm working through Jeff's PHP For Beginners course before moving forward to Laravel, which is next on my list.

Please or to participate in this conversation.