|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41250 Filter SANITIZE_STRING only filters backslash when escaping
Submitted: 2007-05-01 09:52 UTC Modified: 2007-05-02 15:42 UTC
From: david at emomentum dot co dot uk Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5CVS-2007-05-01 (snap) OS: Windows XP
Private report: No CVE-ID: None
 [2007-05-01 09:52 UTC] david at emomentum dot co dot uk
The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error.

Reproduce code:
$value = '\'example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';

$value = '\example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-02 12:20 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter.
 [2007-05-02 13:04 UTC]
You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter.
 [2007-05-02 15:42 UTC] david at emomentum dot co dot uk
You don't want to be used a bind/prepared statement for every query with user submitted data though. Personally, I'd expect the FILTER_SANITIZE_STRING filter to filter out special characters like \ anyway.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jun 13 07:01:34 2024 UTC