ID: 41250
User updated by: david at emomentum dot co dot uk
Reported By: david at emomentum dot co dot uk
Status: Bogus
Bug Type: Filter related
Operating System: Windows XP
PHP Version: 5CVS-2007-05-01 (snap)
New Comment:
You don't want to be used a bind/prepared statement for every query
with user submitted data though. Personally, I'd expect the
FILTER_SANITIZE_STRING filter to filter out special characters like \
anyway.
Previous Comments:
[2007-05-02 13:04:20] [EMAIL PROTECTED]
You should use bind/prepared queries for SQL, definitely *not* the
magic quotes filter.
[2007-05-02 12:20:43] [EMAIL PROTECTED]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
Neither example actually filters backslash. First example doesn't even
see backslash since \' is parsed as one symbol - single quote, escaped
by the backslash. I think if you intend to use it with SQL it's better
to use either FILTER_SANITIZE_MAGIC_QUOTES or encoding filter.
[2007-05-01 09:52:31] david at emomentum dot co dot uk
Description:
The filter FILTER_SANITIZE_STRING only filters out a backslash when it
is escaping something. This means if a backslash is entered into a form
without escaping anything, it will not be filtered and could be executed
into SQL, therefore triggering an escape within the SQL and generating
an error.
Reproduce code:
---
';
$value = '\example';
echo filter_var($value, FILTER_SANITIZE_STRING).'';
?>
Expected result:
'example
example
Actual result:
--
'example
\example
--
Edit this bug report at http://bugs.php.net/?id=41250&edit=1