|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79237 filter_var limited to 8192 characters in input string
Submitted: 2020-02-07 03:29 UTC Modified: 2020-02-07 10:43 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: murray at focus-computing dot com dot au Assigned:
Status: Verified Package: *Regular Expressions
PHP Version: 7.3Git-2020-02-07 (Git) OS: Debian 4.19.67-2+deb10u1 (2019-0
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2020-02-07 03:29 UTC] murray at focus-computing dot com dot au
I was testing some input being passed via a parameter to my script.  I was getting an error indicating that the value passed was invalid, yet it didn't contain any of the strings I was searching for.  
I went through the process of shortening the string and when I got below 8192 chars in length it worked, over 8192 chars in length it would fail.

I also tried this on PHP v7.1.32 and the exact same code on my Mac OSX which worked correctly.

Test script:
filter_var(trim($_REQUEST['parms']), FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => "/^((?!union select|union all|\'A=|select char).)*$/im")));

Expected result:
A) filter_var should handle strings longer than 8192 chars


B) Add documentation to filter_var manual entry indicating maximum length of string.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-07 08:03 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-02-07 08:03 UTC]
Please try again with pcre.jit=0 (unless you did already).  With
pcre.jit=1, I get PCRE2_ERROR_JIT_STACKLIMIT[1] internally.

[1] <>
 [2020-02-07 09:41 UTC] murray at focus-computing dot com dot au
-Status: Feedback +Status: Assigned
 [2020-02-07 09:41 UTC] murray at focus-computing dot com dot au
I tried pcre.jit=0 and this worked.
I'm not sure what that changes, or why it worked.  I'm happy, but perhaps we should add a comment to the online manual?
 [2020-02-07 10:43 UTC]
-Status: Assigned +Status: Verified -Assigned To: cmb +Assigned To:
 [2020-02-07 10:43 UTC]
Thanks for the confirmation.

It seems to me there should be some hint available why that regex
match failed; maybe just set the last PCRE error, so a user can
get information by calling preg_last_error() (what could be
regarded as BC break, though).
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 23:01:27 2024 UTC