php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #49274 filter_var() should accept objects without fatal error
Submitted: 2009-08-16 22:09 UTC Modified: 2010-05-05 17:37 UTC
From: cellog@php.net Assigned: pajoye (profile)
Status: Closed Package: *General Issues
PHP Version: 5.3SVN-2009-08-16 (SVN) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
48 - 27 = ?
Subscribe to this entry?

 
 [2009-08-16 22:09 UTC] cellog@php.net
Description:
------------
<?php
filter_var(new stdClass, FILTER_VALIDATE_EMAIL);
?>

throws a fatal error because stdClass can't be converted into a string.  filter_var() should be more flexible and simply return false in this situation, it makes it very difficult to provide validation not just for untrusted user input but for untrusted third party use of libraries who may make it insecure by passing in the wrong value to a field for setting.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-17 09:32 UTC] jani@php.net
Does this happen ONLY with PHP_5_3 branch? If not, please use the proper version string.
 [2009-08-17 11:45 UTC] cellog@php.net
don't know, that's up to the developers to decide, don't you think?
 [2009-08-17 13:13 UTC] jani@php.net
This is not a bug. It's exactly what's supposed to happen. When you pass crap in you get crap out. The language isn't supposed to hold your hand in every corner.
 [2009-08-17 13:27 UTC] cellog@php.net
<?php
var_dump(filter_var(null, FILTER_VALIDATE_INT));
var_dump(filter_var(array(), FILTER_VALIDATE_INT));
var_dump(filter_var('hi', FILTER_VALIDATE_INT));
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));
var_dump(filter_var(fopen('somefile', 'r'), FILTER_VALIDATE_INT));
var_dump(filter_var(1, FILTER_VALIDATE_INT));
var_dump(filter_var('1.0', FILTER_VALIDATE_INT));
?>

all work without error.

<?php
class blah {function __toString(){return '1';}}
var_dump(filter_var(new blah, FILTER_VALIDATE_INT));
?>

works without error.

Only filter_var with an object that doesn't implement __toString fails with an error.  Either filter is incorrectly returning false with no error on all of those other random types, or you're wrong, Jani.
 [2009-08-17 13:48 UTC] pajoye@php.net
As StdClass has no __toString implementation (obviously), it can't be converted to string.

I tend to agree that it should not raise a fatal (recovable error) here as it defeats the main purpose of this API.

I'm however not sure it is worth the effort to add custom error handler for this edge case. Patch welcome, it could help to get this edge case solved (I can't work on this exact issue any time soon).
 [2009-08-17 13:52 UTC] cellog@php.net
the stdClass was just to illustrate the point, this happens with any object that doesn't have a __toString().  I would imagine it would be easier to check for IS_OBJECT and then see if it implements __toString than to do a custom error handler.  The performance should be about the same (dismal).
 [2009-08-17 13:55 UTC] pajoye@php.net
it is indeed valid for all objects but it is still an edge case.

A check for IS_OBJECT + tostring() existence could be easy enough and with almost no impact(perf impact is null on the existing application). If you have some time to write one, go ahead.
 [2009-08-17 21:59 UTC] pajoye@php.net
http://pastie.org/586442 should do it. I did not not test more than the test case here.
 [2009-09-05 17:35 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=288083
Log: - fix #49274, filter_var does not accept object without a toString implementation
 [2009-09-05 17:37 UTC] pajoye@php.net
I will close it as soon as it gets merged in 5.3.1, if the RM agrees.
 [2009-10-09 17:32 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289434
Log: - Merge: fix #49274, filter_var does not accept object without a toString implementation
 [2010-05-05 17:37 UTC] pajoye@php.net
-Status: Assigned +Status: Closed -Package: Feature/Change Request +Package: *General Issues
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 18:01:29 2024 UTC