PHP :: Bug #82016 :: usage of +- in strtotime results in unexpected output with PHP8.2

Bug #82016	usage of +- in strtotime results in unexpected output with PHP8.2
Submitted:	2023-07-27 08:26 UTC	Modified:	2023-07-27 11:14 UTC
From:	hallo at davidgreiner dot de	Assigned:
Status:	Not a bug	Package:	Date/time related
PHP Version:	8.2.8	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	hallo at davidgreiner dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2023-07-27 08:26 UTC] hallo at davidgreiner dot de

Description:
------------
Hello!

In case of strtotime is used with '+- <date/time-string>' the output differs with PHP8.2 compared to PHP8.1 

In my opionion - depending on the usage and codebase - this COULD be a security risk, thats why i am posting this here and not in the public bug tracker in github. 

Test script:
---------------
<?php

$foo = strtotime('+-2 hours');
$bar = strtotime('-2 hours');

echo '+-2 hours equals -2 hours = ' . ($foo === $bar ? 'yes' : 'no') . PHP_EOL;



Expected result:
----------------
OUTPUT with PHP8.1: +-2 hours equals -2 hours = yes

Actual result:
--------------
OUTPUT with PHP8.2: +-2 hours equals -2 hours = no

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-07-27 11:13 UTC] derick@php.net

-Status: Open +Status: Not a bug -Type: Security +Type: Bug -Package: *General Issues +Package: Date/time related

[2023-07-27 11:13 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This issue comes nowhere close to the requirements for this being classed as a security. As a matter of fact, this change is documented in the PHP 8.2 migration guide: https://www.php.net/manual/en/migration82.incompatible.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 12 21:00:01 2025 UTC