PHP :: Bug #70882 :: Inconsistent return value for FILTER_SANITIZE

Bug #70882

Inconsistent return value for FILTER_SANITIZE_... when applied to empty objects

Submitted:

2015-11-09 14:29 UTC

Modified:

2018-03-12 17:14 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

bugs dot php dot net_nospam at adviesenzo dot nl

Assigned:

cmb (profile)

Status:

Not a bug

Package:

Filter related

PHP Version:

7.0.0RC6

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugs dot php dot net_nospam at adviesenzo dot nl
New email:
PHP Version:		OS:

New Comment:

[2015-11-09 14:29 UTC] bugs dot php dot net_nospam at adviesenzo dot nl

Description:
------------
Using filter_var() with any of the FILTER_SANITIZE_... filters will return either the sanitized value or an empty string.
This works for every single type of variable *but* an empty object.

With an empty object it returns `false` or in the case the FILTER_NULL_ON_FAILURE flag is set `false` in PHP 5 or `null` in PHP 7 (related: https://bugs.php.net/bug.php?id=67167 ).

Behaviour can be observed in numerous PHP versions here: http://phpcheatsheets.com/test/filter_extension_bool_int_float/
http://phpcheatsheets.com/test/filter_extension_strings/


Test script:
---------------
var_dump( filter_var( null, FILTER_SANITIZE_STRING ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_STRING ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_STRING ) ); // prints bool(false)

var_dump( filter_var( null, FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints bool(false)

var_dump( filter_var( null, FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints NULL

Expected result:
----------------
When a sanitize filter is used on an empty object, I would expect PHP to return an empty string. This would make the behaviour more consistent.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-03-12 17:14 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb

[2018-03-12 17:14 UTC] cmb@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Any object (unless it implements __toString()) or array will
exhibit this behavior (not only "empty" objects), and this is
rather sensible, since it makes it possible to distinguish between
reasonable but invalid input (such as a non-numeric string) and
nonsensical/impossible input.  If this distinction is not desired,
casting the return value to string is still possible.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC