ID: 50389
User updated by: aldekein at myevil dot info
Reported By: aldekein at myevil dot info
-Status: Feedback
+Status: Open
Bug Type: Filter related
Operating System: Windows 7
PHP Version: 5.2.11
New Comment:
This filter removes data that is potentially harmful for the
application. I expected to get a clear string that could be used in
MySQL, for example. But the backquote is dangerous in MySQL statements.
Previous Comments:
------------------------------------------------------------------------
[2009-12-07 08:06:20] j...@php.net
Oh, it was backquote, didn't paste well. :) Anyway, why should that be
stripped..? Or why it should end up as null..?
------------------------------------------------------------------------
[2009-12-04 17:43:10] aldekein at myevil dot info
Description:
------------
I try to sanitize:
Bug: "'`
I get:
Bug: \"\'`
The ` character is not sanitized. Why?
Reproduce code:
---------------
echo filter_var("\"'`", FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_HIGH);
or
echo filter_var("\"'`", FILTER_SANITIZE_STRING);
Expected result:
----------------
\"\'\�
00 = code for ` character.
Actual result:
--------------
\"\'`
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50389&edit=1
