PHP :: Request #49274 :: filter_var() should accept objects without fatal error

Request #49274	filter_var() should accept objects without fatal error
Submitted:	2009-08-16 22:09 UTC	Modified:	2010-05-05 17:37 UTC
From:	cellog@php.net	Assigned:	pajoye (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.3SVN-2009-08-16 (SVN)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cellog@php.net
New email:
PHP Version:		OS:

New Comment:

[2009-08-16 22:09 UTC] cellog@php.net

Description:
------------
<?php
filter_var(new stdClass, FILTER_VALIDATE_EMAIL);
?>

throws a fatal error because stdClass can't be converted into a string.  filter_var() should be more flexible and simply return false in this situation, it makes it very difficult to provide validation not just for untrusted user input but for untrusted third party use of libraries who may make it insecure by passing in the wrong value to a field for setting.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-17 09:32 UTC] jani@php.net

Does this happen ONLY with PHP_5_3 branch? If not, please use the proper version string.

[2009-08-17 11:45 UTC] cellog@php.net

don't know, that's up to the developers to decide, don't you think?

[2009-08-17 13:13 UTC] jani@php.net

This is not a bug. It's exactly what's supposed to happen. When you pass crap in you get crap out. The language isn't supposed to hold your hand in every corner.

[2009-08-17 13:27 UTC] cellog@php.net

<?php
var_dump(filter_var(null, FILTER_VALIDATE_INT));
var_dump(filter_var(array(), FILTER_VALIDATE_INT));
var_dump(filter_var('hi', FILTER_VALIDATE_INT));
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));
var_dump(filter_var(fopen('somefile', 'r'), FILTER_VALIDATE_INT));
var_dump(filter_var(1, FILTER_VALIDATE_INT));
var_dump(filter_var('1.0', FILTER_VALIDATE_INT));
?>

all work without error.

<?php
class blah {function __toString(){return '1';}}
var_dump(filter_var(new blah, FILTER_VALIDATE_INT));
?>

works without error.

Only filter_var with an object that doesn't implement __toString fails with an error.  Either filter is incorrectly returning false with no error on all of those other random types, or you're wrong, Jani.

[2009-08-17 13:48 UTC] pajoye@php.net

As StdClass has no __toString implementation (obviously), it can't be converted to string.

I tend to agree that it should not raise a fatal (recovable error) here as it defeats the main purpose of this API.

I'm however not sure it is worth the effort to add custom error handler for this edge case. Patch welcome, it could help to get this edge case solved (I can't work on this exact issue any time soon).

[2009-08-17 13:52 UTC] cellog@php.net

the stdClass was just to illustrate the point, this happens with any object that doesn't have a __toString().  I would imagine it would be easier to check for IS_OBJECT and then see if it implements __toString than to do a custom error handler.  The performance should be about the same (dismal).

[2009-08-17 13:55 UTC] pajoye@php.net

it is indeed valid for all objects but it is still an edge case.

A check for IS_OBJECT + tostring() existence could be easy enough and with almost no impact(perf impact is null on the existing application). If you have some time to write one, go ahead.

[2009-08-17 21:59 UTC] pajoye@php.net

http://pastie.org/586442 should do it. I did not not test more than the test case here.

[2009-09-05 17:35 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=288083
Log: - fix #49274, filter_var does not accept object without a toString implementation

[2009-09-05 17:37 UTC] pajoye@php.net

I will close it as soon as it gets merged in 5.3.1, if the RM agrees.

[2009-10-09 17:32 UTC] svn@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289434
Log: - Merge: fix #49274, filter_var does not accept object without a toString implementation

[2010-05-05 17:37 UTC] pajoye@php.net

-Status: Assigned +Status: Closed -Package: Feature/Change Request +Package: *General Issues

[2016-09-09 10:23 UTC] cmb@php.net

Related To: Bug #73054

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 20:01:29 2024 UTC