php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41250 Filter SANITIZE_STRING only filters backslash when escaping
Submitted: 2007-05-01 09:52 UTC Modified: 2007-05-02 15:42 UTC
From: david at emomentum dot co dot uk Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5CVS-2007-05-01 (snap) OS: Windows XP
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at emomentum dot co dot uk
New email:
PHP Version: OS:

 

 [2007-05-01 09:52 UTC] david at emomentum dot co dot uk
Description:
------------
The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error.

Reproduce code:
---------------
<?php
$value = '\'example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';

$value = '\example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';
?>

Expected result:
----------------
'example
example

Actual result:
--------------
'example
\example

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-02 12:20 UTC] stas@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter.
 [2007-05-02 13:04 UTC] derick@php.net
You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter.
 [2007-05-02 15:42 UTC] david at emomentum dot co dot uk
You don't want to be used a bind/prepared statement for every query with user submitted data though. Personally, I'd expect the FILTER_SANITIZE_STRING filter to filter out special characters like \ anyway.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC