PHP :: Bug #45606 :: FILTER_SANITIZE_NUMBER_INT filters returns "----" as an int

Bug #45606	FILTER_SANITIZE_NUMBER_INT filters returns "----" as an int
Submitted:	2008-07-23 16:47 UTC	Modified:	2008-07-24 12:17 UTC
From:	php at displague dot com	Assigned:	pajoye (profile)
Status:	Not a bug	Package:	Filter related
PHP Version:	5.2.6	OS:	ubuntu intrepid
Private report:	No	CVE-ID:	None

View Developer Edit

[2008-07-23 16:47 UTC] php at displague dot com

Description:
------------
In code where I use

filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

a vulnerability scanner tried to supply a value of <!-- test --> to the id parameter of the page.

This filter statement caused $id=='----'.

Reproduce code:
---------------
$t="<!-- test -->";
$v=filter_var($t, FILTER_SANITIZE_NUMBER_INT, array('options'=>array('min_range'=>1)));

Expected result:
----------------
$v==false

Actual result:
--------------
$v=='----'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-07-23 16:55 UTC] pajoye@php.net

The sanitize checks only if all characters used in a given input can be part of an integer, float, etc. If you like to have a strict validation, use FILTER_VALIDATE_INT (or other validating filters).

[2008-07-23 18:17 UTC] php at displague dot com

> sanitize checks only if all characters used in a given
> input can be part of an integer, float, etc

Where does it say that? http://php.net/manual/en/intro.filter.php
From what I could gather from the docs, 
filter_var should return:
 Returns the filtered data, or FALSE if the filter fails. 
and filter_input should return:

Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name  variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns FALSE if the variable is not set and NULL if the filter fails.

I understand that FILTER_VALIDATE_INT is not as stringent as FILTER_SANITIZE_NUMBER_INT, but given these input and return combinations:

input   return
x.9      9
x-9     -9
x       ''
-       -
+       +
++      ++
--      --

Then given the string, "<!-- test -->", how is a return value of "----" a valid INT with a minimum of 1?

I assume a regular expression is behind this filter, and at the very least I expect that it needs to be updated to only match no more than one "-" or "+" only if it is followed by a "." or [0-9].  Possibly others depending on localization settings.

It's not much of a validation filter as it exists currently.

[2008-07-23 18:46 UTC] php at displague dot com

I used FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT backward in my last comment.

Still, neither filter should ever return '----' as an INT with a minimum value of 1.

[2008-07-24 12:17 UTC] lbarnaud@php.net

This result is expected, the documentation for FILTER_SANITIZE_NUMBER_INT says: "Remove all characters except digits, plus and minus sign".

FILTER_VALIDATE_INT works as you expect: It does not outputs invalid numbers and does range check using the min/max_range options.

[2013-10-01 11:00 UTC] jobindcruz at gmail dot com

Still FILTER_SANITIZE_NUMBER_INT function return Minus(-) Sign

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 11:01:30 2024 UTC