php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40156 FILTER_SANITIZE_NUMBER_FLOAT incorrect when multiple dots in value
Submitted: 2007-01-17 20:01 UTC Modified: 2007-01-17 20:36 UTC
From: pmjones88 at gmail dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.2.0 OS: Mac OS X
Private report: No CVE-ID:
 [2007-01-17 20:01 UTC] pmjones88 at gmail dot com
Description:
------------
When using FILTER_SANITIZE_NUMBER_FLOAT with FILTER_FLAG_ALLOW_FRACTION, it seems to allow any number of decimal points, not just a single decimal point.  This results in an invalid value being reported as sanitized. 

Reproduce code:
---------------
<?php
$val = 'abc ... 123.45 ,.../';
$san = filter_var($val, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
var_dump($san);
?>

Expected result:
----------------
float 123.45

Actual result:
--------------
string(12) "...123.45..." 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-17 20:11 UTC] pajoye@php.net
Use FILTER_VALIDATE_FLOAT if you like to validate a string and get a float value. Sanitizing filters only clean the string.
 [2007-01-17 20:12 UTC] tony2001@php.net
http://php.net/filter
FILTER_SANITIZE_NUMBER_FLOAT - Remove all characters except digits, +- and optionally .,eE.

It's not supposed to validate the result.
 [2007-01-17 20:23 UTC] pmjones88 at gmail dot com
Then it should at least fail when it realizes that the value isn't going to be useful as a float.  Maybe I don't get it; a "sanitized" float should return as a "float".  Otherwise you're just stripping non-numeric characters, which is not quote the same thing.
 [2007-01-17 20:25 UTC] derick@php.net
No, that's what the logical filters are for.
 [2007-01-17 20:26 UTC] tony2001@php.net
Again, sanitizing filter just sanitizes the input data, it does not validate it.
 [2007-01-17 20:33 UTC] pmjones88 at gmail dot com
When I try pajoye's suggestion, to use validation, it does not return a float as he says it should.  Instead, it (properly) returns false.

    $val = 'abc ... 123.45 ,.../';
    $san = filter_var($val, FILTER_VALIDATE_FLOAT);
    var_dump($san); // (bool) false

What's a guy gotta do to get a float out of that?
 [2007-01-17 20:36 UTC] derick@php.net
The string you're passing is obviously not a valid float... as it has all kinds of weird stuff around it. Of course it returns "false" (invalid data) in this case. ext/filter is not a regular expression collection... it's there to filter out unwanted characters (sanitizing filters) or to validate the contents of a string as a specific type of data.
 [2010-09-17 15:38 UTC] ndesbarats at gmail dot com
Had the same problems as pmjones88, and wrote a function to extract floats (and ints) more intelligently from strings that contain superfluous characters. Hope this helps. I think something like this should be added as a core PHP function, since I have to believe that it addresses a pretty common need:

http://www.choosingsmarter.com/2010/09/extracting-a-number-from-a-string-in-php.html
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 12:01:52 2014 UTC