PHP :: Bug #40156 :: FILTER_SANITIZE_NUMBER_FLOAT incorrect when multiple dots in value

Bug #40156	FILTER_SANITIZE_NUMBER_FLOAT incorrect when multiple dots in value
Submitted:	2007-01-17 20:01 UTC	Modified:	2007-01-17 20:36 UTC
From:	pmjones88 at gmail dot com	Assigned:
Status:	Not a bug	Package:	Filter related
PHP Version:	5.2.0	OS:	Mac OS X
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-01-17 20:01 UTC] pmjones88 at gmail dot com

Description:
------------
When using FILTER_SANITIZE_NUMBER_FLOAT with FILTER_FLAG_ALLOW_FRACTION, it seems to allow any number of decimal points, not just a single decimal point.  This results in an invalid value being reported as sanitized. 

Reproduce code:
---------------
<?php
$val = 'abc ... 123.45 ,.../';
$san = filter_var($val, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
var_dump($san);
?>

Expected result:
----------------
float 123.45

Actual result:
--------------
string(12) "...123.45..."

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-17 20:11 UTC] pajoye@php.net

Use FILTER_VALIDATE_FLOAT if you like to validate a string and get a float value. Sanitizing filters only clean the string.

[2007-01-17 20:12 UTC] tony2001@php.net

http://php.net/filter
FILTER_SANITIZE_NUMBER_FLOAT - Remove all characters except digits, +- and optionally .,eE.

It's not supposed to validate the result.

[2007-01-17 20:23 UTC] pmjones88 at gmail dot com

Then it should at least fail when it realizes that the value isn't going to be useful as a float.  Maybe I don't get it; a "sanitized" float should return as a "float".  Otherwise you're just stripping non-numeric characters, which is not quote the same thing.

[2007-01-17 20:25 UTC] derick@php.net

No, that's what the logical filters are for.

[2007-01-17 20:26 UTC] tony2001@php.net

Again, sanitizing filter just sanitizes the input data, it does not validate it.

[2007-01-17 20:33 UTC] pmjones88 at gmail dot com

When I try pajoye's suggestion, to use validation, it does not return a float as he says it should.  Instead, it (properly) returns false.

    $val = 'abc ... 123.45 ,.../';
    $san = filter_var($val, FILTER_VALIDATE_FLOAT);
    var_dump($san); // (bool) false

What's a guy gotta do to get a float out of that?

[2007-01-17 20:36 UTC] derick@php.net

The string you're passing is obviously not a valid float... as it has all kinds of weird stuff around it. Of course it returns "false" (invalid data) in this case. ext/filter is not a regular expression collection... it's there to filter out unwanted characters (sanitizing filters) or to validate the contents of a string as a specific type of data.

[2010-09-17 15:38 UTC] ndesbarats at gmail dot com

Had the same problems as pmjones88, and wrote a function to extract floats (and ints) more intelligently from strings that contain superfluous characters. Hope this helps. I think something like this should be added as a core PHP function, since I have to believe that it addresses a pretty common need:

http://www.choosingsmarter.com/2010/09/extracting-a-number-from-a-string-in-php.html

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 18:01:29 2024 UTC