php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48906 checkdate returns true on false date
Submitted: 2009-07-13 19:11 UTC Modified: 2009-07-14 19:08 UTC
From: arno dot zandink at gmail dot com Assigned:
Status: Not a bug Package: Date/time related
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2009-07-13 19:11 UTC] arno dot zandink at gmail dot com 
Description:
------------
checkdate returns true when the date given is not a valid date

If this is not considered a bug, perhaps adding a waring on the manual page would be wise 

Reproduce code:
---------------
---
From manual page: function.checkdate
---
<?php

$date = "01-01-1980 <script>alert('test');</script>";
$aDate_parts = preg_split("/[\s-]+/", $date);

var_dump(
    checkdate(
        $aDate_parts[1], // Month
        $aDate_parts[0], // Day
        $aDate_parts[2] // Year
    )
);

?>

Expected result:
----------------
I would expect var_dump to print a boolean (false) because the date is not valid

Actual result:
--------------
A boolean (true) is returned with a invalid date

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-13 19:49 UTC] sjoerd-php at linuxonly dot nl 
Thank you for your bug report.

Your example code can be summarized as follows:
<?php var_dump(checkdate('01', '01', '1980')); ?>

I would expect this to return true, because January 1st 1980 is a valid date. Why do you think it is an invalid date?
 [2009-07-13 20:54 UTC] arno dot zandink at gmail dot com 
hmm, indeed I changed my scripted at the last minute because I got a deprecated notice.

My first test was as following:
<?php

$date = "01-01-1980 <script>alert('test');</script>";
$aDate_parts = split('-', $date);
print_r($aDate_parts);
var_dump(
    checkdate(
        $aDate_parts[1], // Month
        $aDate_parts[0], // Day
        $aDate_parts[2] // Year
    )
);

?>

This example will result in the following array:
<?php

Array
(
    [0] => 01
    [1] => 01
    [2] => 1980 <script>alert('test');</script>
)

?>

And it will return a boolean (true)
 [2009-07-14 11:14 UTC] sjoerd-php at linuxonly dot nl 
The function checkdate() takes three integers as arguments. That means that if you pass it a string, it will be cast to an int. The string "1980 <script>alert('test');</script>" cast to an int will result in 1980.

So
checkdate("01", "01", "1980 <script>alert('test');</script>")
is equivalent to
checkdate(1, 1, 1980)

This is not a bug in PHP, rather a limitation of checkdate: it assumes that you pass it numbers. You should check yourself that your input is numeric.
 [2009-07-14 12:54 UTC] arno dot zandink at gmail dot com 
ok, sounds logical indeed, the ticket can be closed in this case, I only recommend to add a notice / warning / hint on the manual page perhaps. To avoid that people use checkdate() and after that insert the date directly into the database.

Thanks for the time
 [2009-07-14 13:18 UTC] derick@php.net 
There is actually a warning already:

derick@kossu:~$ php
<?php
checkdate("01", "01", "1980 <script>alert('test');</script>");
?>

Notice: A non well formed numeric value encountered in /home/derick/- on line 2

Call Stack:
    8.1010     653592   1. {main}() /home/derick/-:0
    8.1010     654376   2. checkdate(string(2), string(2), string(36)) /home/derick/-:2
 [2009-07-14 19:08 UTC] arno dot zandink at gmail dot com 
A yes, you are right, I have forgotten that E_NOTICE is disabled at the company I work, I added error_reporting(E_ALL); and I see the notice.

Thanks for your reply and your time
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 02 16:01:29 2024 UTC