php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60541 FILTER_SANITIZE_NUMBER_INT fails to filter strings with plus and minus
Submitted: 2011-12-16 00:07 UTC Modified: 2011-12-17 18:21 UTC
From: klaussilveira@php.net Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.3.8 OS: UNIX
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: klaussilveira@php.net
New email:
PHP Version: OS:

 

 [2011-12-16 00:07 UTC] klaussilveira@php.net
Description:
------------
The filter_var FILTER_SANITIZE_NUMBER_INT filter fails to sanitize plus and minus 
signs in a string. This is the expected behavior, since + and - are accepted in 
an integer. However, the filter fails to recognize multiple + and -, returning an 
string instead of an integer.

For example: 

filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT; // returns +4, OK!
filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT; // returns ++4, FAILURE!

I wrote a small patch that makes the filter ignore + and - signs, which, i 
believe, it's the best behavior for this. 

Test script:
---------------
<?php

// Normal behavior
$a = filter_var("I'm+captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

// Problems comes in when we have multiple minus or plus signs in the string
$a = filter_var("I'm++captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

Expected result:
----------------
4 and 4
8
4 and 4
8


Patches

sanitize_integers (last revision 2011-12-16 00:07 UTC by klaussilveira@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-16 00:07 UTC] klaussilveira@php.net
The following patch has been added/updated:

Patch Name: sanitize_integers
Revision:   1323994062
URL:        https://bugs.php.net/patch-display.php?bug=60541&patch=sanitize_integers&revision=1323994062
 [2011-12-16 00:17 UTC] klaussilveira@php.net
The most elegant solution was to detect only + and - signs that are next to a 
number, and remove all others. For example:

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns -3

Right now, the filter behavior is: 

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns --++-3

Which is VERY bad and HORRIBLY wrong.
 [2011-12-17 14:31 UTC] cataphract@php.net
The purpose of the sanitisation filters is not to transform data so as to make it valid, it merely "removes undesirable characters" (see http://php.net/manual/en/intro.filter.php ). Though this description is not entirely correct (for instance FILTER_SANITIZE_SPECIAL_CHARS with FILTER_FLAG_ENCODE_HIGH will transform some characters into HTML entities -- in a rather flawed way, I must say, because it arbitrarily assumes a sort of ISO-8859-1 extension), what is clear is that data may very well still be invalid after running the sanitisation filters.
 [2011-12-17 14:31 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2011-12-17 14:31 UTC] cataphract@php.net
Plus, this matches perfectly the documentation ("Remove all characters except digits, plus and minus sign.")
 [2011-12-17 17:23 UTC] klaussilveira@php.net
Yes, it matches the documentation. But filtering "ad--td#$@++qsdh-3" and returning 
"--++-3" is wrong. The filter is not implemented correctly, it should remove all + 
and - characters that are not next to a number. Filtering "ad--td#$@++qsdh-3" 
should return "-3", that's a valid integer.
 [2011-12-17 18:18 UTC] cataphract@php.net
Nothing says it should return a valid integer, just like the e-mail sanitization filter doesn't have to return a valid e-mail.
 [2011-12-17 18:21 UTC] pajoye@php.net
In other words, and as stated in the documentation, what you are looking for are 
the validate filters, in this case FILTER_VALIDATE_INT, see 
http://www.php.net/manual/en/filter.filters.validate.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 17:01:27 2024 UTC