PHP allows something called “Type Juggling.” This means that it can treat strings containing numbers the same way it treats integers or floats, and can perform math and do comparisons between these different types as long as the loose comparison operator ==
is used instead of the strict comparison operator ===
. For developers, Type Juggling can be very useful and save time when writing code, but it can sometimes lead to unusual behavior.
A classic example of how Type Juggling can cause issues is that comparing 0==”blah”
will return true
. PHP 8 fixes this type of behavior so that these and similar comparisons (e.g., 0==”0blah”
) will return false
.
By and large, this will actually improve security. There are a number of exploits that can take advantage of PHP’s Type Juggling behavior to bypass nonstandard cookie, nonce, or password checks. Nonetheless, a large number of plugins use these loose comparisons, sometimes for critical functions. In most cases these will continue to work correctly when using PHP 8, but a few of them might actually rely on incorrect behavior in order to function properly. In a few rare circumstances, this might open up new security holes.
The onus of updating code for compatibility with PHP 8 could prove to be too much for some developers, and many plugins and themes may end up abandoned, though this is less likely to happen for plugins and themes with a large install base. Any security issues in these abandoned plugins and themes would go unpatched, which could prove disastrous.
Likewise, many websites may remain on an insecure version of PHP in order to keep their legacy plugins running.
Finally, certain strains of malware rely on deprecated functions as well as PHP’s fault tolerance in order to obfuscate their intentions. These strains will cease to function or become more noticeable in a PHP 8 environment, but malware authors will adapt in time.