php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45606 FILTER_SANITIZE_NUMBER_INT filters returns "----" as an int
Submitted: 2008-07-23 16:47 UTC Modified: 2008-07-24 12:17 UTC
From: php at displague dot com Assigned: pajoye (profile)
Status: Not a bug Package: Filter related
PHP Version: 5.2.6 OS: ubuntu intrepid
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php at displague dot com
New email:
PHP Version: OS:

 

 [2008-07-23 16:47 UTC] php at displague dot com 
Description:
------------
In code where I use

filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

a vulnerability scanner tried to supply a value of <!-- test --> to the id parameter of the page.

This filter statement caused $id=='----'.

Reproduce code:
---------------
$t="<!-- test -->";
$v=filter_var($t, FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

Expected result:
----------------
$v==false

Actual result:
--------------
$v=='----'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-23 16:55 UTC] pajoye@php.net 
The sanitize checks only if all characters used in a given input can be part of an integer, float, etc. If you like to have a strict validation, use FILTER_VALIDATE_INT (or other validating filters).
 [2008-07-23 18:17 UTC] php at displague dot com 
> sanitize checks only if all characters used in a given
> input can be part of an integer, float, etc

Where does it say that? http://php.net/manual/en/intro.filter.php
From what I could gather from the docs, 
filter_var should return:
 Returns the filtered data, or FALSE if the filter fails. 
and filter_input should return:

Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name  variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns FALSE if the variable is not set and NULL if the filter fails.

I understand that FILTER_VALIDATE_INT is not as stringent as FILTER_SANITIZE_NUMBER_INT, but given these input and return combinations:

input   return
x.9      9
x-9     -9
x       ''
-       -
+       +
++      ++
--      --

Then given the string, "<!-- test -->", how is a return value of "----" a valid INT with a minimum of 1?

I assume a regular expression is behind this filter, and at the very least I expect that it needs to be updated to only match no more than one "-" or "+" only if it is followed by a "." or [0-9].  Possibly others depending on localization settings.

It's not much of a validation filter as it exists currently.
 [2008-07-23 18:46 UTC] php at displague dot com 
I used FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT backward in my last comment.

Still, neither filter should ever return '----' as an INT with a minimum value of 1.
 [2008-07-24 12:17 UTC] lbarnaud@php.net 
This result is expected, the documentation for FILTER_SANITIZE_NUMBER_INT says: "Remove all characters except digits, plus and minus sign".

FILTER_VALIDATE_INT works as you expect: It does not outputs invalid numbers and does range check using the min/max_range options.
 [2013-10-01 11:00 UTC] jobindcruz at gmail dot com 
Still FILTER_SANITIZE_NUMBER_INT function return Minus(-) Sign
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 17:00:01 2025 UTC