php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #48906 checkdate returns true on false date
Submitted: 2009-07-13 19:11 UTC Modified: 2009-07-14 19:08 UTC
From: arno dot zandink at gmail dot com Assigned:
Status: Not a bug Package: Date/time related
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: arno dot zandink at gmail dot com
New email:
PHP Version: OS:

 

 [2009-07-13 19:11 UTC] arno dot zandink at gmail dot com 
Description:
------------
checkdate returns true when the date given is not a valid date

If this is not considered a bug, perhaps adding a waring on the manual page would be wise 

Reproduce code:
---------------
---
From manual page: function.checkdate
---
<?php

$date = "01-01-1980 <script>alert('test');</script>";
$aDate_parts = preg_split("/[\s-]+/", $date);

var_dump(
    checkdate(
        $aDate_parts[1], // Month
        $aDate_parts[0], // Day
        $aDate_parts[2] // Year
    )
);

?>

Expected result:
----------------
I would expect var_dump to print a boolean (false) because the date is not valid

Actual result:
--------------
A boolean (true) is returned with a invalid date

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-07-13 19:49 UTC] sjoerd-php at linuxonly dot nl 
Thank you for your bug report.

Your example code can be summarized as follows:
<?php var_dump(checkdate('01', '01', '1980')); ?>

I would expect this to return true, because January 1st 1980 is a valid date. Why do you think it is an invalid date?
 [2009-07-13 20:54 UTC] arno dot zandink at gmail dot com 
hmm, indeed I changed my scripted at the last minute because I got a deprecated notice.

My first test was as following:
<?php

$date = "01-01-1980 <script>alert('test');</script>";
$aDate_parts = split('-', $date);
print_r($aDate_parts);
var_dump(
    checkdate(
        $aDate_parts[1], // Month
        $aDate_parts[0], // Day
        $aDate_parts[2] // Year
    )
);

?>

This example will result in the following array:
<?php

Array
(
    [0] => 01
    [1] => 01
    [2] => 1980 <script>alert('test');</script>
)

?>

And it will return a boolean (true)
 [2009-07-14 11:14 UTC] sjoerd-php at linuxonly dot nl 
The function checkdate() takes three integers as arguments. That means that if you pass it a string, it will be cast to an int. The string "1980 <script>alert('test');</script>" cast to an int will result in 1980.

So
checkdate("01", "01", "1980 <script>alert('test');</script>")
is equivalent to
checkdate(1, 1, 1980)

This is not a bug in PHP, rather a limitation of checkdate: it assumes that you pass it numbers. You should check yourself that your input is numeric.
 [2009-07-14 12:54 UTC] arno dot zandink at gmail dot com 
ok, sounds logical indeed, the ticket can be closed in this case, I only recommend to add a notice / warning / hint on the manual page perhaps. To avoid that people use checkdate() and after that insert the date directly into the database.

Thanks for the time
 [2009-07-14 13:18 UTC] derick@php.net 
There is actually a warning already:

derick@kossu:~$ php
<?php
checkdate("01", "01", "1980 <script>alert('test');</script>");
?>

Notice: A non well formed numeric value encountered in /home/derick/- on line 2

Call Stack:
    8.1010     653592   1. {main}() /home/derick/-:0
    8.1010     654376   2. checkdate(string(2), string(2), string(36)) /home/derick/-:2
 [2009-07-14 19:08 UTC] arno dot zandink at gmail dot com 
A yes, you are right, I have forgotten that E_NOTICE is disabled at the company I work, I added error_reporting(E_ALL); and I see the notice.

Thanks for your reply and your time
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC