[PHP-DEV] filter_var options effect \0 even if it FILTER_FLAG_STRIP_LOW not used?

Sat, 10 Feb 2007 23:49:29 -0800 

Hi all, I'm not really sure if this is the correct list to place this
on. Apologies if it is not. I've come across some un-expected
behaviour in the new filter_var function but i'm not really sure if
it's just me not understanding the documentation correctly.

I have the following two functions which should filter the HIGH ascii
chars and manually strip the LOW ascii chars (so as to allow through
\r \n"

If the line
$input =  filter_var( $input, FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

is executed before manually searching for characters like \0 , it
appears to effect the ability for mb_strpos to identify low numbered
ascii characters.

Is the filter_var function automagically removing the \0 ? I'm not
saying this is bad in anyway. I can't imagine what you would want/need
a null byte for in PHP :)

just wanted to check that this is in fact the behaviour that is
expected, as I wasn't expecting it from what the docs said.


#!/usr/bin/php
<?php


       function test1( $input )
       {
           // we want the outcome to be false
           $haslownum = false;
           for( $i = 0; $i< 32 ;$i++)
           {
               // 13 is CR carriage return
               if( ($i != 10 && $i != 13 ) && mb_strpos($input,chr($i)) )
               {
                   $haslownum = true;
                   $input = null;
                   break;
               }
           }
           $input =  filter_var( $input, FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

           return $input;
       }

       function test2( $input )
       {
           $input =  filter_var( $input, FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

           // we want the outcome to be false
           $haslownum = false;
           for( $i = 0; $i< 32 ;$i++)
           {
               // 13 is CR carriage return
               if( ($i != 10 && $i != 13 ) && mb_strpos($input,chr($i)) )
               {
                   $haslownum = true;
                   $input = null;
               }
           }


           return $input;
       } // end filter_for_db_allow_cr


$input = "myname\0.php";

$input = test1($input);

echo "Test #1 should be null : ".$input."\n";

$input = "myname\0.php";
$input = test2($input);

echo "Test #2 should be null? : ".$input."\n";

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to