Bug #60541 [Bgs]: FILTER_SANITIZE_NUMBER_INT fails to filter strings with plus and minus

Sat, 17 Dec 2011 10:21:52 -0800 

Edit report at https://bugs.php.net/bug.php?id=60541&edit=1

 ID:                 60541
 Updated by:         paj...@php.net
 Reported by:        klaussilve...@php.net
 Summary:            FILTER_SANITIZE_NUMBER_INT fails to filter strings
                     with plus and minus
 Status:             Bogus
 Type:               Bug
 Package:            Filter related
 Operating System:   UNIX
 PHP Version:        5.3.8
 Block user comment: N
 Private report:     N

 New Comment:

In other words, and as stated in the documentation, what you are looking for 
are 
the validate filters, in this case FILTER_VALIDATE_INT, see 
http://www.php.net/manual/en/filter.filters.validate.php


Previous Comments:
------------------------------------------------------------------------
[2011-12-17 18:18:37] cataphr...@php.net

Nothing says it should return a valid integer, just like the e-mail 
sanitization filter doesn't have to return a valid e-mail.

------------------------------------------------------------------------
[2011-12-17 17:23:12] klaussilve...@php.net

Yes, it matches the documentation. But filtering "ad--td#$@++qsdh-3" and 
returning 
"--++-3" is wrong. The filter is not implemented correctly, it should remove 
all + 
and - characters that are not next to a number. Filtering "ad--td#$@++qsdh-3" 
should return "-3", that's a valid integer.

------------------------------------------------------------------------
[2011-12-17 14:31:51] cataphr...@php.net

Plus, this matches perfectly the documentation ("Remove all characters except 
digits, plus and minus sign.")

------------------------------------------------------------------------
[2011-12-17 14:31:16] cataphr...@php.net

The purpose of the sanitisation filters is not to transform data so as to make 
it valid, it merely "removes undesirable characters" (see 
http://php.net/manual/en/intro.filter.php ). Though this description is not 
entirely correct (for instance FILTER_SANITIZE_SPECIAL_CHARS with 
FILTER_FLAG_ENCODE_HIGH will transform some characters into HTML entities -- in 
a rather flawed way, I must say, because it arbitrarily assumes a sort of 
ISO-8859-1 extension), what is clear is that data may very well still be 
invalid after running the sanitisation filters.

------------------------------------------------------------------------
[2011-12-16 00:17:30] klaussilve...@php.net

The most elegant solution was to detect only + and - signs that are next to a 
number, and remove all others. For example:

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns -3

Right now, the filter behavior is: 

filter_var("ad--td#$@++qsdh-3", FILTER_SANITIZE_NUMBER_INT); // returns --++-3

Which is VERY bad and HORRIBLY wrong.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=60541


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60541&edit=1

Reply via email to