php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #56690 Changing filter.default with ini_set() in script does not work
Submitted: 2005-12-03 11:22 UTC Modified: 2006-05-08 12:20 UTC
From: ramsey@php.net Assigned: pajoye (profile)
Status: Closed Package: filter (PECL)
PHP Version: Irrelevant OS: Debian sarge
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ramsey@php.net
New email:
PHP Version: OS:

 

 [2005-12-03 11:22 UTC] ramsey@php.net
Description:
------------
Changing filter.default with ini_set() at the script level does not appear to have the expected results. While it does properly change the setting, the output of filter_data() and input_get() when not specifying a filter uses the default filter as set in php.ini and not the one set with ini_set() at the script level.

This may be a design choice when outputting variables such as $_GET and $_POST, but when properly filtering on these variables, it still does not observe the new default filter as specified with ini_set().

In filter.c, this ini directive is properly set to PHP_INI_ALL, so I suspect the reason it's behaving this way with variables like $_GET['foo'] is because it's sanitizing them before the script starts executing. This is likely by design, and so that is fine. However, I did notice that even input_get() seems to be retaining the original filter.default rather than using the one set in the script. See below for an example.

Reproduce code:
---------------
Example URL:
http://example.org/test.php?foo=%3Cp%3EHello,%20World%3C/p%3E

<?php
var_dump(ini_get('filter.default'));
ini_set('filter.default', 'special_chars');
var_dump(ini_get('filter.default'));

var_dump($_GET['foo']);
var_dump(input_get(INPUT_GET, 'foo'));
var_dump(input_get(INPUT_GET, 'foo', FS_SPECIAL_CHARS));
?>

Expected result:
----------------
string(6) "string"
string(13) "special_chars"
string(12) "Hello, World"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"

- or even -

string(6) "string"
string(13) "special_chars"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"

Actual result:
--------------
string(6) "string"
string(13) "special_chars"
string(12) "Hello, World"
string(12) "Hello, World"
string(35) "&#60;p&#62;Hello, World&#60;/p&#62;"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-08 12:20 UTC] pierre dot php at gmail dot com
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

It cannot be changed in the scripts. If one can change the default filter, it will then defeat the main goal of a safe default filter.

Please note that php 5.2 (and current head in pecl cvs) will use unsafe_raw as the filter.default.

I also update the ini settings to allow only SYS and PERDIR changes.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jul 17 06:01:26 2019 UTC