filter_var options effect \0 even if it FILTER_FLAG_STRIP_LOW not used?

19 years ago by Andy Mason — view source — reply

unread

Hi all, I'm not really sure if this is the correct list to place this
on. Apologies if it is not. I've come across some un-expected
behaviour in the new filter_var function but i'm not really sure if
it's just me not understanding the documentation correctly.

I have the following two functions which should filter the HIGH ascii
chars and manually strip the LOW ascii chars (so as to allow through
\r \n"

If the line
$input = filter_var( $input, FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

is executed before manually searching for characters like \0 , it
appears to effect the ability for mb_strpos to identify low numbered
ascii characters.

Is the filter_var function automagically removing the \0 ? I'm not
saying this is bad in anyway. I can't imagine what you would want/need
a null byte for in PHP :)

just wanted to check that this is in fact the behaviour that is
expected, as I wasn't expecting it from what the docs said.

#!/usr/bin/php
<?php

    function test1( $input )
    {
        // we want the outcome to be false
        $haslownum = false;
        for( $i = 0; $i< 32 ;$i++)
        {
            // 13 is CR carriage return
            if( ($i != 10 && $i != 13 ) && mb_strpos($input,chr($i)) )
            {
                $haslownum = true;
                $input = null;
                break;
            }
        }
        $input =  filter_var( $input, FILTER_SANITIZE_STRING,

FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

        return $input;
    }

    function test2( $input )
    {
        $input =  filter_var( $input, FILTER_SANITIZE_STRING,

FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_AMP |
FILTER_NULL_ON_FAILURE);

        // we want the outcome to be false
        $haslownum = false;
        for( $i = 0; $i< 32 ;$i++)
        {
            // 13 is CR carriage return
            if( ($i != 10 && $i != 13 ) && mb_strpos($input,chr($i)) )
            {
                $haslownum = true;
                $input = null;
            }
        }


        return $input;
    } // end filter_for_db_allow_cr

$input = "myname\0.php";

$input = test1($input);

echo "Test #1 should be null : ".$input."\n";

$input = "myname\0.php";
$input = test2($input);

echo "Test #2 should be null? : ".$input."\n";

19 years ago by Pierre — view source — reply

unread

Hi,

Is the filter_var function automagically removing the \0 ?

Not magically, it is normal and expected. You can keep these kind of
values using one of the encode flags, like:

$a= filter_var("abc\0\r\n", FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW));

--Pierre