php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #41250 Filter SANITIZE_STRING only filters backslash when escaping
Submitted: 2007-05-01 09:52 UTC Modified: 2007-05-02 15:42 UTC
From: david at emomentum dot co dot uk Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5CVS-2007-05-01 (snap) OS: Windows XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
47 - 37 = ?
Subscribe to this entry?

 
 [2007-05-01 09:52 UTC] david at emomentum dot co dot uk 
Description:
------------
The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error.

Reproduce code:
---------------
<?php
$value = '\'example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';

$value = '\example';
echo filter_var($value, FILTER_SANITIZE_STRING).'<br />';
?>

Expected result:
----------------
'example
example

Actual result:
--------------
'example
\example

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-05-02 12:20 UTC] stas@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter.
 [2007-05-02 13:04 UTC] derick@php.net 
You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter.
 [2007-05-02 15:42 UTC] david at emomentum dot co dot uk 
You don't want to be used a bind/prepared statement for every query with user submitted data though. Personally, I'd expect the FILTER_SANITIZE_STRING filter to filter out special characters like \ anyway.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 17:01:31 2024 UTC