If anyone is wondering why: PHP's strpos() returns “false” when the second string argument does not occur as a substring of the first argument, and returns 0 when the second string argument occurs at position 0 of the first string argument. Thus, strpos( “/admin”, “/admin” ) returns 0, but strpos( “Cabbage/admin”, “/admin” ) will return a positive integer.
You're supposed to test the return value explicitly: “if( strpos( $a, $b ) !== false)”, but it only says that like five times in giant red letters on the manual page (http://us2.php.net/strpos) so it's easy to see how someone could miss it.
“Re: Cabbage Based Authentication [1]”
Besides being reason #3.1415926 for hating PHP [2], this is a further example of my dislike for dynamically typed languages (and muddled thinking [3]). What we have here is a function that returns a positive integer if we find one string within another, but a boolean otherwise. This mixing of return types is futher compounded by the fact that in PHP, an integer value of 0 is also treated as the boolean “false” value.
So let's not fix strpos() to return something sane, like -1 for “string not found,” let's instead extend the langauge with a silly “boolean only comparison” to fix this particular problem.
I would really love to know what Rasmus Lerdorf was smoking [4] …
[1] http://worsethanfailure.com/Comments/Cabbage_Based_Authentication.aspx#