#41250 [Bgs]: Filter SANITIZE_STRING only filters backslash when escaping
ID: 41250 User updated by: david at emomentum dot co dot uk Reported By: david at emomentum dot co dot uk Status: Bogus Bug Type: Filter related Operating System: Windows XP PHP Version: 5CVS-2007-05-01 (snap) New Comment: You don't want to be used a bind/prepared statement for every query with user submitted data though. Personally, I'd expect the FILTER_SANITIZE_STRING filter to filter out special characters like \ anyway. Previous Comments: [2007-05-02 13:04:20] [EMAIL PROTECTED] You should use bind/prepared queries for SQL, definitely *not* the magic quotes filter. [2007-05-02 12:20:43] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Neither example actually filters backslash. First example doesn't even see backslash since \' is parsed as one symbol - single quote, escaped by the backslash. I think if you intend to use it with SQL it's better to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter. ---- [2007-05-01 09:52:31] david at emomentum dot co dot uk Description: The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error. Reproduce code: --- '; $value = '\example'; echo filter_var($value, FILTER_SANITIZE_STRING).''; ?> Expected result: 'example example Actual result: -- 'example \example -- Edit this bug report at http://bugs.php.net/?id=41250&edit=1
#41250 [NEW]: Filter SANITIZE_STRING only filters backslash when escaping
From: david at emomentum dot co dot uk Operating system: Windows XP PHP version: 5CVS-2007-05-01 (snap) PHP Bug Type: Filter related Bug description: Filter SANITIZE_STRING only filters backslash when escaping Description: The filter FILTER_SANITIZE_STRING only filters out a backslash when it is escaping something. This means if a backslash is entered into a form without escaping anything, it will not be filtered and could be executed into SQL, therefore triggering an escape within the SQL and generating an error. Reproduce code: --- '; $value = '\example'; echo filter_var($value, FILTER_SANITIZE_STRING).''; ?> Expected result: 'example example Actual result: -- 'example \example -- Edit bug report at http://bugs.php.net/?id=41250&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=41250&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=41250&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=41250&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=41250&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=41250&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=41250&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=41250&r=needscript Try newer version:http://bugs.php.net/fix.php?id=41250&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=41250&r=support Expected behavior:http://bugs.php.net/fix.php?id=41250&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=41250&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=41250&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=41250&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41250&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=41250&r=dst IIS Stability:http://bugs.php.net/fix.php?id=41250&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=41250&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=41250&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=41250&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=41250&r=mysqlcfg