php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40156 FILTER_SANITIZE_NUMBER_FLOAT incorrect when multiple dots in value
Submitted: 2007-01-17 20:01 UTC Modified: 2007-01-17 20:36 UTC
From: pmjones88 at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.2.0 OS: Mac OS X
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pmjones88 at gmail dot com
New email:
PHP Version: OS:

 

 [2007-01-17 20:01 UTC] pmjones88 at gmail dot com 
Description:
------------
When using FILTER_SANITIZE_NUMBER_FLOAT with FILTER_FLAG_ALLOW_FRACTION, it seems to allow any number of decimal points, not just a single decimal point.  This results in an invalid value being reported as sanitized. 

Reproduce code:
---------------
<?php
$val = 'abc ... 123.45 ,.../';
$san = filter_var($val, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
var_dump($san);
?>

Expected result:
----------------
float 123.45

Actual result:
--------------
string(12) "...123.45..."

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-17 20:11 UTC] pajoye@php.net 
Use FILTER_VALIDATE_FLOAT if you like to validate a string and get a float value. Sanitizing filters only clean the string.
 [2007-01-17 20:12 UTC] tony2001@php.net 
http://php.net/filter
FILTER_SANITIZE_NUMBER_FLOAT - Remove all characters except digits, +- and optionally .,eE.

It's not supposed to validate the result.
 [2007-01-17 20:23 UTC] pmjones88 at gmail dot com 
Then it should at least fail when it realizes that the value isn't going to be useful as a float.  Maybe I don't get it; a "sanitized" float should return as a "float".  Otherwise you're just stripping non-numeric characters, which is not quote the same thing.
 [2007-01-17 20:25 UTC] derick@php.net 
No, that's what the logical filters are for.
 [2007-01-17 20:26 UTC] tony2001@php.net 
Again, sanitizing filter just sanitizes the input data, it does not validate it.
 [2007-01-17 20:33 UTC] pmjones88 at gmail dot com 
When I try pajoye's suggestion, to use validation, it does not return a float as he says it should.  Instead, it (properly) returns false.

    $val = 'abc ... 123.45 ,.../';
    $san = filter_var($val, FILTER_VALIDATE_FLOAT);
    var_dump($san); // (bool) false

What's a guy gotta do to get a float out of that?
 [2007-01-17 20:36 UTC] derick@php.net 
The string you're passing is obviously not a valid float... as it has all kinds of weird stuff around it. Of course it returns "false" (invalid data) in this case. ext/filter is not a regular expression collection... it's there to filter out unwanted characters (sanitizing filters) or to validate the contents of a string as a specific type of data.
 [2010-09-17 15:38 UTC] ndesbarats at gmail dot com 
Had the same problems as pmjones88, and wrote a function to extract floats (and ints) more intelligently from strings that contain superfluous characters. Hope this helps. I think something like this should be added as a core PHP function, since I have to believe that it addresses a pretty common need:

http://www.choosingsmarter.com/2010/09/extracting-a-number-from-a-string-in-php.html
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 15:00:02 2025 UTC