|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32127 is_numeric() not binary safe
Submitted: 2005-02-27 12:58 UTC Modified: 2005-04-14 09:44 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: M dot Kooiman at MAP-IS dot nl Assigned: derick (profile)
Status: Closed Package: Variables related
PHP Version: 4CVS, 5CVS (2005-02-27) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
37 + 36 = ?
Subscribe to this entry?

 [2005-02-27 12:58 UTC] M dot Kooiman at MAP-IS dot nl

It seems is_numeric() isn't binary safe. Which, in itself isn't a big problem, but it becomes a problem when is_numeric () is used as input (GET/POST) validation. 

Reproduce code:

 * I'm fully aware you should first sanitize the data before outputting. The following code
 * is just an example pointing out the problem. Also consider situations where
 * the result is trusted because of is_numeric() and then used in SQL queries.

/* call this like: file.php?whatever=123%00<script>alert(document.cookie);</script>

if (is_numeric($_GET['whatever']))
    echo "Whatever: {$_GET['whatever']}<br>";
} else{
    echo 'The string isn't numeric.';


Expected result:
is_numeric() should fail the string because it contains extra arbitrary data.

Actual result:
is_numeric() will validate a string that has a number + null char + arbitrary data as a valid number.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-05 10:18 UTC]
Please try using this CVS snapshot:
For Windows:

I can't reproduce it with latest snapshots.
 [2005-04-13 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2005-04-14 09:44 UTC] M dot Kooiman at MAP-IS dot nl
Hello Tony,

I just tried with the most recent version that's available on my machine Ubuntu Hoary Hedgehog: PHP 4.3.10(-10ubuntu4) and it seems that it's fixed in that aswell, so I'm sure PHP5 is ok.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Oct 21 11:03:34 2021 UTC