ID: 50389 Updated by: il...@php.net Reported By: aldekein at myevil dot info -Status: Open +Status: Closed Bug Type: Filter related Operating System: Windows 7 PHP Version: 5.2.11 New Comment:
The FILTER_FLAG_STRIP_HIGH flag only strips chars with value > 127, ` (backtick) is 96, so it does not get stripped. I've added FILTER_FLAG_STRIP_BACKTICK filter for PHP 5.3+ that will allow removal of the backtick character. Previous Comments: ------------------------------------------------------------------------ [2009-12-07 09:36:21] aldekein at myevil dot info This filter removes data that is potentially harmful for the application. I expected to get a clear string that could be used in MySQL, for example. But the backquote is dangerous in MySQL statements. ------------------------------------------------------------------------ [2009-12-07 08:06:20] j...@php.net Oh, it was backquote, didn't paste well. :) Anyway, why should that be stripped..? Or why it should end up as null..? ------------------------------------------------------------------------ [2009-12-04 17:43:10] aldekein at myevil dot info Description: ------------ I try to sanitize: Bug: "'` I get: Bug: \"\'` The ` character is not sanitized. Why? Reproduce code: --------------- echo filter_var("\"'`", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); or echo filter_var("\"'`", FILTER_SANITIZE_STRING); Expected result: ---------------- \"\'\� 00 = code for ` character. Actual result: -------------- \"\'` ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50389&edit=1