php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70882 Inconsistent return value for FILTER_SANITIZE_... when applied to empty objects
Submitted: 2015-11-09 14:29 UTC Modified: 2018-03-12 17:14 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: bugs dot php dot net_nospam at adviesenzo dot nl Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.0.0RC6 OS:
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
1 + 45 = ?
Subscribe to this entry?

 
 [2015-11-09 14:29 UTC] bugs dot php dot net_nospam at adviesenzo dot nl
Description:
------------
Using filter_var() with any of the FILTER_SANITIZE_... filters will return either the sanitized value or an empty string.
This works for every single type of variable *but* an empty object.

With an empty object it returns `false` or in the case the FILTER_NULL_ON_FAILURE flag is set `false` in PHP 5 or `null` in PHP 7 (related: https://bugs.php.net/bug.php?id=67167 ).

Behaviour can be observed in numerous PHP versions here: http://phpcheatsheets.com/test/filter_extension_bool_int_float/
http://phpcheatsheets.com/test/filter_extension_strings/


Test script:
---------------
var_dump( filter_var( null, FILTER_SANITIZE_STRING ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_STRING ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_STRING ) ); // prints bool(false)

var_dump( filter_var( null, FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_NUMBER_FLOAT ) ); // prints bool(false)

var_dump( filter_var( null, FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints ''
var_dump( filter_var( '', FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints ''
var_dump( filter_var( new stdClass(), FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE ) ); // prints NULL

Expected result:
----------------
When a sanitize filter is used on an empty object, I would expect PHP to return an empty string. This would make the behaviour more consistent.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-12 17:14 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2018-03-12 17:14 UTC] cmb@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Any object (unless it implements __toString()) or array will
exhibit this behavior (not only "empty" objects), and this is
rather sensible, since it makes it possible to distinguish between
reasonable but invalid input (such as a non-numeric string) and
nonsensical/impossible input.  If this distinction is not desired,
casting the return value to string is still possible.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 03:01:27 2024 UTC