PHP :: Bug #45606 :: FILTER_SANITIZE_NUMBER_INT filters returns "----" as an int

Bug #45606	FILTER_SANITIZE_NUMBER_INT filters returns "----" as an int
Submitted:	2008-07-23 16:47 UTC	Modified:	2008-07-24 12:17 UTC
From:	php at displague dot com	Assigned:	pajoye (profile)
Status:	Not a bug	Package:	Filter related
PHP Version:	5.2.6	OS:	ubuntu intrepid
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at displague dot com
New email:
PHP Version:		OS:

New Comment:

[2008-07-23 16:47 UTC] php at displague dot com

Description:
------------
In code where I use

filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

a vulnerability scanner tried to supply a value of <!-- test --> to the id parameter of the page.

This filter statement caused $id=='----'.

Reproduce code:
---------------
$t="<!-- test -->";
$v=filter_var($t, FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

Expected result:
----------------
$v==false

Actual result:
--------------
$v=='----'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-07-23 16:55 UTC] pajoye@php.net

The sanitize checks only if all characters used in a given input can be part of an integer, float, etc. If you like to have a strict validation, use FILTER_VALIDATE_INT (or other validating filters).

[2008-07-23 18:17 UTC] php at displague dot com

> sanitize checks only if all characters used in a given
> input can be part of an integer, float, etc

Where does it say that? http://php.net/manual/en/intro.filter.php
From what I could gather from the docs, 
filter_var should return:
 Returns the filtered data, or FALSE if the filter fails. 
and filter_input should return:

Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name  variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns FALSE if the variable is not set and NULL if the filter fails.

I understand that FILTER_VALIDATE_INT is not as stringent as FILTER_SANITIZE_NUMBER_INT, but given these input and return combinations:

input   return
x.9      9
x-9     -9
x       ''
-       -
+       +
++      ++
--      --

Then given the string, "<!-- test -->", how is a return value of "----" a valid INT with a minimum of 1?

I assume a regular expression is behind this filter, and at the very least I expect that it needs to be updated to only match no more than one "-" or "+" only if it is followed by a "." or [0-9].  Possibly others depending on localization settings.

It's not much of a validation filter as it exists currently.

[2008-07-23 18:46 UTC] php at displague dot com

I used FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT backward in my last comment.

Still, neither filter should ever return '----' as an INT with a minimum value of 1.

[2008-07-24 12:17 UTC] lbarnaud@php.net

This result is expected, the documentation for FILTER_SANITIZE_NUMBER_INT says: "Remove all characters except digits, plus and minus sign".

FILTER_VALIDATE_INT works as you expect: It does not outputs invalid numbers and does range check using the min/max_range options.

[2013-10-01 11:00 UTC] jobindcruz at gmail dot com

Still FILTER_SANITIZE_NUMBER_INT function return Minus(-) Sign

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC