php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41250 Filter SANITIZE_STRING only filters backslash when escaping
Submitted: 2007-05-01 09:52 UTC Modified: 2007-05-02 15:42 UTC
From: david at emomentum dot co dot uk Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5CVS-2007-05-01 (snap) OS: Windows XP
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: david at emomentum dot co dot uk
New email:
PHP Version: OS:

 

 [2007-05-01 09:52 UTC] david at emomentum dot co dot uk
Description:
------------
The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error.

Reproduce code:
---------------
<?php
$value = '\'example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';

$value = '\example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';
?>

Expected result:
----------------
'example
example

Actual result:
--------------
'example
\example

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-02 12:20 UTC] stas@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter.
 [2007-05-02 13:04 UTC] derick@php.net
You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter.
 [2007-05-02 15:42 UTC] david at emomentum dot co dot uk
You don't want to be used a bind/prepared statement for every query with user submitted data though. Personally, I'd expect the FILTER_SANITIZE_STRING filter to filter out special characters like \ anyway.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 21:01:28 2024 UTC