php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61497 REQUEST_TIME_FLOAT and REQUEST_TIME are not accessible through filter_input
Submitted: 2012-03-24 16:59 UTC Modified: 2018-03-10 14:11 UTC
Votes:21
Avg. Score:3.6 ± 1.0
Reproduced:21 of 21 (100.0%)
Same Version:2 (9.5%)
Same OS:4 (19.0%)
From: phristen at yahoo dot com Assigned:
Status: Open Package: Filter related
PHP Version: 5.4.0 OS: Windows 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-03-24 16:59 UTC] phristen at yahoo dot com
Description:
------------
REQUEST_TIME_FLOAT and REQUEST_TIME are not accessible through filter_input...
That is pretty self-explanatory.

Running this on Windows 7 + Apache 2.4, but it would be nice if somebody could check other platforms.

Test script:
---------------
foreach ($_SERVER as $i => $x) {
	if (!filter_has_var(INPUT_SERVER, $i)) {
		echo $i."\n";
	}
}

Expected result:
----------------
(no output)

Actual result:
--------------
REQUEST_TIME_FLOAT
REQUEST_TIME

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-13 18:56 UTC] avaer at avaer dot net
Encountered this bug on Arch Linux with PHP 5.5.5 and Apache 2.2. It also affects PHP_AUTH_USER and PHP_AUTH_PW - they are also inaccessible (should I report this as another bug?)
 [2013-12-04 05:43 UTC] mcochris at gmail dot com
Problem also exists in PHP version 5.5.5 on FreeBSD 9.2, Nginx 1.5.7, PHP-FPM. _SERVER["HOME"] and _SERVER["USER"] variables are also missing.

Test:
<?php
echo var_export(array_diff_key($_SERVER, filter_input_array(INPUT_SERVER, FILTER_UNSAFE_RAW)), true);
?>

should not return anything, but instead returns:
<?php
array (
  'HOME' => '/nonexistent',
  'USER' => 'www',
  'REQUEST_TIME_FLOAT' => 1386135028.8222,
  'REQUEST_TIME' => 1386135028,
)
?>

Same problem when using "filter_input" function, e.g.

<?php
filter_input(INPUT_SERVER, 'REQUEST_TIME',...
?>

The filter type doesn't seem to matter - same problem with FILTER_SANITIZE_FULL_SPECIAL_CHARS
 [2018-03-10 14:11 UTC] cmb@php.net
I fail to see why REQUEST_TIME(_FLOAT) should be filtered, since
these are not user suppliable values.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 08:01:25 2019 UTC