php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60541 FILTER_SANITIZE_NUMBER_INT fails to filter strings with plus and minus
Submitted: 2011-12-16 00:07 UTC Modified: 2011-12-17 18:21 UTC
From: klaussilveira@php.net Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.3.8 OS: UNIX
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: klaussilveira@php.net
New email:
PHP Version: OS:

 

 [2011-12-16 00:07 UTC] klaussilveira@php.net 
Description:
------------
The filter_var FILTER_SANITIZE_NUMBER_INT filter fails to sanitize plus and minus 
signs in a string. This is the expected behavior, since + and - are accepted in 
an integer. However, the filter fails to recognize multiple + and -, returning an 
string instead of an integer.

For example: 

filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT; // returns +4, OK!
filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT; // returns ++4, FAILURE!

I wrote a small patch that makes the filter ignore + and - signs, which, i 
believe, it's the best behavior for this. 

Test script:
---------------
<?php

// Normal behavior
$a = filter_var("I'm+captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

// Problems comes in when we have multiple minus or plus signs in the string
$a = filter_var("I'm++captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

Expected result:
----------------
4 and 4
8
4 and 4
8

Patches

sanitize_integers (last revision 2011-12-16 00:07 UTC by klaussilveira@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-16 00:07 UTC] klaussilveira@php.net 
The following patch has been added/updated:

Patch Name: sanitize_integers
Revision:   1323994062
URL:        https://bugs.php.net/patch-display.php?bug=60541&patch=sanitize_integers&revision=1323994062
 [2011-12-16 00:17 UTC] klaussilveira@php.net 
The most elegant solution was to detect only + and - signs that are next to a 
number, and remove all others. For example:

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns -3

Right now, the filter behavior is: 

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns --++-3

Which is VERY bad and HORRIBLY wrong.
 [2011-12-17 14:31 UTC] cataphract@php.net 
The purpose of the sanitisation filters is not to transform data so as to make it valid, it merely "removes undesirable characters" (see http://php.net/manual/en/intro.filter.php ). Though this description is not entirely correct (for instance FILTER_SANITIZE_SPECIAL_CHARS with FILTER_FLAG_ENCODE_HIGH will transform some characters into HTML entities -- in a rather flawed way, I must say, because it arbitrarily assumes a sort of ISO-8859-1 extension), what is clear is that data may very well still be invalid after running the sanitisation filters.
 [2011-12-17 14:31 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2011-12-17 14:31 UTC] cataphract@php.net 
Plus, this matches perfectly the documentation ("Remove all characters except digits, plus and minus sign.")
 [2011-12-17 17:23 UTC] klaussilveira@php.net 
Yes, it matches the documentation. But filtering "ad--td#$@++qsdh-3" and returning 
"--++-3" is wrong. The filter is not implemented correctly, it should remove all + 
and - characters that are not next to a number. Filtering "ad--td#$@++qsdh-3" 
should return "-3", that's a valid integer.
 [2011-12-17 18:18 UTC] cataphract@php.net 
Nothing says it should return a valid integer, just like the e-mail sanitization filter doesn't have to return a valid e-mail.
 [2011-12-17 18:21 UTC] pajoye@php.net 
In other words, and as stated in the documentation, what you are looking for are 
the validate filters, in this case FILTER_VALIDATE_INT, see 
http://www.php.net/manual/en/filter.filters.validate.php
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 13:01:28 2025 UTC