|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60541 FILTER_SANITIZE_NUMBER_INT fails to filter strings with plus and minus
Submitted: 2011-12-16 00:07 UTC Modified: 2011-12-17 18:21 UTC
From: Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.3.8 OS: UNIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2011-12-16 00:07 UTC]
The filter_var FILTER_SANITIZE_NUMBER_INT filter fails to sanitize plus and minus 
signs in a string. This is the expected behavior, since + and - are accepted in 
an integer. However, the filter fails to recognize multiple + and -, returning an 
string instead of an integer.

For example: 

filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT; // returns +4, OK!
filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT; // returns ++4, FAILURE!

I wrote a small patch that makes the filter ignore + and - signs, which, i 
believe, it's the best behavior for this. 

Test script:

// Normal behavior
$a = filter_var("I'm+captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm+captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

// Problems comes in when we have multiple minus or plus signs in the string
$a = filter_var("I'm++captainSp4rrow!", FILTER_SANITIZE_NUMBER_INT);
$b = filter_var("I'm++captain4", FILTER_SANITIZE_NUMBER_INT);

echo "$a and $b" . PHP_EOL;
echo $a + $b . PHP_EOL;

Expected result:
4 and 4
4 and 4


sanitize_integers (last revision 2011-12-16 00:07 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-12-16 00:07 UTC]
The following patch has been added/updated:

Patch Name: sanitize_integers
Revision:   1323994062
 [2011-12-16 00:17 UTC]
The most elegant solution was to detect only + and - signs that are next to a 
number, and remove all others. For example:

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns -3

Right now, the filter behavior is: 

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns --++-3

Which is VERY bad and HORRIBLY wrong.
 [2011-12-17 14:31 UTC]
The purpose of the sanitisation filters is not to transform data so as to make it valid, it merely "removes undesirable characters" (see ). Though this description is not entirely correct (for instance FILTER_SANITIZE_SPECIAL_CHARS with FILTER_FLAG_ENCODE_HIGH will transform some characters into HTML entities -- in a rather flawed way, I must say, because it arbitrarily assumes a sort of ISO-8859-1 extension), what is clear is that data may very well still be invalid after running the sanitisation filters.
 [2011-12-17 14:31 UTC]
-Status: Open +Status: Bogus
 [2011-12-17 14:31 UTC]
Plus, this matches perfectly the documentation ("Remove all characters except digits, plus and minus sign.")
 [2011-12-17 17:23 UTC]
Yes, it matches the documentation. But filtering "ad--td#$@++qsdh-3" and returning 
"--++-3" is wrong. The filter is not implemented correctly, it should remove all + 
and - characters that are not next to a number. Filtering "ad--td#$@++qsdh-3" 
should return "-3", that's a valid integer.
 [2011-12-17 18:18 UTC]
Nothing says it should return a valid integer, just like the e-mail sanitization filter doesn't have to return a valid e-mail.
 [2011-12-17 18:21 UTC]
In other words, and as stated in the documentation, what you are looking for are 
the validate filters, in this case FILTER_VALIDATE_INT, see
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 09:01:29 2024 UTC