#49274 [Opn->Fbk]: filter_var() should accept objects without fatal error

pajoye Mon, 17 Aug 2009 06:48:53 -0700

 ID:               49274
 Updated by:       paj...@php.net
 Reported By:      cel...@php.net
-Status:           Open
+Status:           Feedback
 Bug Type:         Filter related
 Operating System: *
 PHP Version:      5.3SVN-2009-08-16 (SVN)
 New Comment:


As StdClass has no __toString implementation (obviously), it can't be
converted to string.

I tend to agree that it should not raise a fatal (recovable error) here
as it defeats the main purpose of this API.

I'm however not sure it is worth the effort to add custom error handler
for this edge case. Patch welcome, it could help to get this edge case
solved (I can't work on this exact issue any time soon).


Previous Comments:
------------------------------------------------------------------------

[2009-08-17 13:27:50] cel...@php.net

<?php
var_dump(filter_var(null, FILTER_VALIDATE_INT));
var_dump(filter_var(array(), FILTER_VALIDATE_INT));
var_dump(filter_var('hi', FILTER_VALIDATE_INT));
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));
var_dump(filter_var(fopen('somefile', 'r'), FILTER_VALIDATE_INT));
var_dump(filter_var(1, FILTER_VALIDATE_INT));
var_dump(filter_var('1.0', FILTER_VALIDATE_INT));
?>

all work without error.

<?php
class blah {function __toString(){return '1';}}
var_dump(filter_var(new blah, FILTER_VALIDATE_INT));
?>

works without error.

Only filter_var with an object that doesn't implement __toString fails
with an error.  Either filter is incorrectly returning false with no
error on all of those other random types, or you're wrong, Jani.

------------------------------------------------------------------------

[2009-08-17 13:13:43] j...@php.net

This is not a bug. It's exactly what's supposed to happen. When you
pass crap in you get crap out. The language isn't supposed to hold your
hand in every corner.

------------------------------------------------------------------------

[2009-08-17 11:45:09] cel...@php.net

don't know, that's up to the developers to decide, don't you think?

------------------------------------------------------------------------

[2009-08-17 09:32:59] j...@php.net

Does this happen ONLY with PHP_5_3 branch? If not, please use the
proper version string.

------------------------------------------------------------------------

[2009-08-16 22:09:05] cel...@php.net

Description:
------------
<?php
filter_var(new stdClass, FILTER_VALIDATE_EMAIL);
?>

throws a fatal error because stdClass can't be converted into a string.
 filter_var() should be more flexible and simply return false in this
situation, it makes it very difficult to provide validation not just for
untrusted user input but for untrusted third party use of libraries who
may make it insecure by passing in the wrong value to a field for
setting.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49274&edit=1

#49274 [Opn->Fbk]: filter_var() should accept objects without fatal error

Reply via email to