php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74482 Missing validation of date in DateTime::createFromFormat
Submitted: 2017-04-20 15:01 UTC Modified: 2017-04-24 11:52 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam at bugyik dot cz Assigned:
Status: Not a bug Package: Date/time related
PHP Version: 7.1.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam at bugyik dot cz
New email:
PHP Version: OS:

 

 [2017-04-20 15:01 UTC] spam at bugyik dot cz 
Description:
------------
I'm missing validation of date-time in DateTime::createFromFormat. The example below tells more.

Test script:
---------------
<?php

var_dump(\DateTime::createFromFormat(\DateTime::RFC3339, '2017-99-99T08:51:13-03:00'));

Expected result:
----------------
some exception expected (like from new DateTime('bad-time'))

Actual result:
--------------
object(DateTime)#1 (3) {
  ["date"]=>
  string(26) "2025-06-07 08:51:13.000000"
  ["timezone_type"]=>
  int(1)
  ["timezone"]=>
  string(6) "-03:00"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-20 15:06 UTC] php-bugs at allenjb dot me dot uk 
DateTime has an internal warnings system it uses which you can use to detect invalid dates - see DateTime::getLastErrors(): https://3v4l.org/8IBbL
 [2017-04-20 16:24 UTC] spam at bugyik dot cz 
@allenjb: thanks for your suggestion, but I think this is only workaround, do you agree?
 [2017-04-21 11:38 UTC] heiglandreas@php.net
-Status: Open +Status: Not a bug
 [2017-04-21 11:38 UTC] heiglandreas@php.net 
Nope. The date you provided actually is not invalid. DateTime *assumes that you want to give a valid date*. As it's clearly not valid, DateTime tries to find a way to make it valid and also adds an error to the log. 

So when you want to break DateTime on purpose by passing it invalid parameters it's not a bug in DateTime.

You are looking for a way to *validate* a date which is not something the DateTime-library is made for. And as you are using a method that explicitly is named *create*FromFormat it can be assumed that you want to get a DateTime-Object from the input and not want an exception to be thrown…
 [2017-04-21 11:58 UTC] spam at bugyik dot cz 
@heiglandreas: Yes of course, it's not a bug, it's a feature. So, there is two way to create DateTime object from string with inconsistent behaviour. I forget, this is PHP :D

https://3v4l.org/v0IQb


> DateTime *assumes that you want to give a valid date*.

Sorry, but I'm using DateTime specially for validate user-input. I don't want to validate myself if *2017-99-99* is valid date,
 [2017-04-24 11:52 UTC] heiglandreas@php.net 
If you're looking to validate the user-input then use DateTime::createFromFormat and check the last error as suggested by php-bugs at allenjb dot me dot uk.

As it's an invalid Date you are providing "new DateTime()" will fail. When you want to create a DateTime-Object from the provided date at all costs, use the factory-method DateTime::createFromFormat.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Sep 18 13:00:02 2025 UTC