#49274 [Bgs->Opn]: filter_var() should accept objects without fatal error

Mon, 17 Aug 2009 06:28:02 -0700 

 ID:               49274
 Updated by:       cel...@php.net
 Reported By:      cel...@php.net
-Status:           Bogus
+Status:           Open
 Bug Type:         Filter related
 Operating System: *
 PHP Version:      5.3SVN-2009-08-16 (SVN)
 New Comment:

<?php
var_dump(filter_var(null, FILTER_VALIDATE_INT));
var_dump(filter_var(array(), FILTER_VALIDATE_INT));
var_dump(filter_var('hi', FILTER_VALIDATE_INT));
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));
var_dump(filter_var(fopen('somefile', 'r'), FILTER_VALIDATE_INT));
var_dump(filter_var(1, FILTER_VALIDATE_INT));
var_dump(filter_var('1.0', FILTER_VALIDATE_INT));
?>

all work without error.

<?php
class blah {function __toString(){return '1';}}
var_dump(filter_var(new blah, FILTER_VALIDATE_INT));
?>

works without error.

Only filter_var with an object that doesn't implement __toString fails
with an error.  Either filter is incorrectly returning false with no
error on all of those other random types, or you're wrong, Jani.


Previous Comments:
------------------------------------------------------------------------

[2009-08-17 13:13:43] j...@php.net

This is not a bug. It's exactly what's supposed to happen. When you
pass crap in you get crap out. The language isn't supposed to hold your
hand in every corner.

------------------------------------------------------------------------

[2009-08-17 11:45:09] cel...@php.net

don't know, that's up to the developers to decide, don't you think?

------------------------------------------------------------------------

[2009-08-17 09:32:59] j...@php.net

Does this happen ONLY with PHP_5_3 branch? If not, please use the
proper version string.

------------------------------------------------------------------------

[2009-08-16 22:09:05] cel...@php.net

Description:
------------
<?php
filter_var(new stdClass, FILTER_VALIDATE_EMAIL);
?>

throws a fatal error because stdClass can't be converted into a string.
 filter_var() should be more flexible and simply return false in this
situation, it makes it very difficult to provide validation not just for
untrusted user input but for untrusted third party use of libraries who
may make it insecure by passing in the wrong value to a field for
setting.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49274&edit=1

Reply via email to