|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72963 Null-byte injection in createFromFormat
Submitted: 2016-08-29 11:24 UTC Modified: 2022-05-20 13:55 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: qoqe at inbox dot lv Assigned: derick (profile)
Status: Closed Package: Date/time related
PHP Version: 7.0.10 OS: Linux, Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: qoqe at inbox dot lv
New email:
PHP Version: OS:


 [2016-08-29 11:24 UTC] qoqe at inbox dot lv
createFromFormat method from DateTime class is sensitive to null-byte injection. 

According to best practices to verify if date is valid in PHP, the best way is to use DateTime::createFromFormat because it returns false if date isn't valid. This way to verify date is used in many CMS systems (for example, in Drupal).

The problem is that DateTime::createFromFormat second parameter is vulnerable to null-byte which can be passed to it when createFromFormat method is used to verify GET or POST param.

Here are results if application calls DateTime::createFromFormat('m/d/Y', $_GET['startFrom']); where

startFrom=8/8/2016 - will return true
startFrom=8/8/2016asd - will return false
startFrom=8/8/2016%00asd - will return true

It seems to be reliable verification if date is valid and developer might not use htmlspecialchars or real_escape_string after it. This may lead to SQL Injection or XSS.

Test script:
    function verifyDate($date, $strict = true) {
        $dateTime = DateTime::createFromFormat('m/d/Y', $date);
        if ($strict) {
            $errors = DateTime::getLastErrors();
            if (!empty($errors['warning_count'])) {
                return false;
        return $dateTime !== false;
    if(!empty($_GET['startFrom']) && verifyDate($_GET['startFrom'])) {
        // query to database without escaping $_GET['startFrom']
        // because it has passed verification of valid date
    // tests
    var_dump(verifyDate('asd')); // false
    var_dump(verifyDate('8/8/2016')); // true
    var_dump(verifyDate('8/8/2016asdasd')); // false
    var_dump(verifyDate("8/8/2016\x00asdasd")); // true


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 04:57 UTC]
-Type: Security +Type: Bug -Assigned To: +Assigned To: derick
 [2022-05-26 14:20 UTC]
Automatic comment on behalf of derickr
Log: Fixed bug #72963 (Null-byte injection in CreateFromFormat and related functions)
 [2022-05-26 14:20 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 02:01:28 2024 UTC