ID: 50389 User updated by: aldekein at myevil dot info Reported By: aldekein at myevil dot info -Status: Feedback +Status: Open Bug Type: Filter related Operating System: Windows 7 PHP Version: 5.2.11 New Comment:
This filter removes data that is potentially harmful for the application. I expected to get a clear string that could be used in MySQL, for example. But the backquote is dangerous in MySQL statements. Previous Comments: ------------------------------------------------------------------------ [2009-12-07 08:06:20] j...@php.net Oh, it was backquote, didn't paste well. :) Anyway, why should that be stripped..? Or why it should end up as null..? ------------------------------------------------------------------------ [2009-12-04 17:43:10] aldekein at myevil dot info Description: ------------ I try to sanitize: Bug: "'` I get: Bug: \"\'` The ` character is not sanitized. Why? Reproduce code: --------------- echo filter_var("\"'`", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); or echo filter_var("\"'`", FILTER_SANITIZE_STRING); Expected result: ---------------- \"\'\� 00 = code for ` character. Actual result: -------------- \"\'` ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50389&edit=1