php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74482 Missing validation of date in DateTime::createFromFormat
Submitted: 2017-04-20 15:01 UTC Modified: 2017-04-24 11:52 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: spam at bugyik dot cz Assigned:
Status: Not a bug Package: Date/time related
PHP Version: 7.1.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: spam at bugyik dot cz
New email:
PHP Version: OS:

 

 [2017-04-20 15:01 UTC] spam at bugyik dot cz 
Description:
------------
I'm missing validation of date-time in DateTime::createFromFormat. The example below tells more.

Test script:
---------------
<?php

var_dump(\DateTime::createFromFormat(\DateTime::RFC3339, '2017-99-99T08:51:13-03:00'));

Expected result:
----------------
some exception expected (like from new DateTime('bad-time'))

Actual result:
--------------
object(DateTime)#1 (3) {
  ["date"]=>
  string(26) "2025-06-07 08:51:13.000000"
  ["timezone_type"]=>
  int(1)
  ["timezone"]=>
  string(6) "-03:00"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-20 15:06 UTC] php-bugs at allenjb dot me dot uk 
DateTime has an internal warnings system it uses which you can use to detect invalid dates - see DateTime::getLastErrors(): https://3v4l.org/8IBbL
 [2017-04-20 16:24 UTC] spam at bugyik dot cz 
@allenjb: thanks for your suggestion, but I think this is only workaround, do you agree?
 [2017-04-21 11:38 UTC] heiglandreas@php.net
-Status: Open +Status: Not a bug
 [2017-04-21 11:38 UTC] heiglandreas@php.net 
Nope. The date you provided actually is not invalid. DateTime *assumes that you want to give a valid date*. As it's clearly not valid, DateTime tries to find a way to make it valid and also adds an error to the log. 

So when you want to break DateTime on purpose by passing it invalid parameters it's not a bug in DateTime.

You are looking for a way to *validate* a date which is not something the DateTime-library is made for. And as you are using a method that explicitly is named *create*FromFormat it can be assumed that you want to get a DateTime-Object from the input and not want an exception to be thrown…
 [2017-04-21 11:58 UTC] spam at bugyik dot cz 
@heiglandreas: Yes of course, it's not a bug, it's a feature. So, there is two way to create DateTime object from string with inconsistent behaviour. I forget, this is PHP :D

https://3v4l.org/v0IQb


> DateTime *assumes that you want to give a valid date*.

Sorry, but I'm using DateTime specially for validate user-input. I don't want to validate myself if *2017-99-99* is valid date,
 [2017-04-24 11:52 UTC] heiglandreas@php.net 
If you're looking to validate the user-input then use DateTime::createFromFormat and check the last error as suggested by php-bugs at allenjb dot me dot uk.

As it's an invalid Date you are providing "new DateTime()" will fail. When you want to create a DateTime-Object from the provided date at all costs, use the factory-method DateTime::createFromFormat.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 03:01:28 2024 UTC