ID: 48906 User updated by: arno dot zandink at gmail dot com Reported By: arno dot zandink at gmail dot com Status: Bogus Bug Type: Date/time related Operating System: * PHP Version: 5.3.0 New Comment:
A yes, you are right, I have forgotten that E_NOTICE is disabled at the company I work, I added error_reporting(E_ALL); and I see the notice. Thanks for your reply and your time Previous Comments: ------------------------------------------------------------------------ [2009-07-14 13:18:28] der...@php.net There is actually a warning already: der...@kossu:~$ php <?php checkdate("01", "01", "1980 <script>alert('test');</script>"); ?> Notice: A non well formed numeric value encountered in /home/derick/- on line 2 Call Stack: 8.1010 653592 1. {main}() /home/derick/-:0 8.1010 654376 2. checkdate(string(2), string(2), string(36)) /home/derick/-:2 ------------------------------------------------------------------------ [2009-07-14 12:54:31] arno dot zandink at gmail dot com ok, sounds logical indeed, the ticket can be closed in this case, I only recommend to add a notice / warning / hint on the manual page perhaps. To avoid that people use checkdate() and after that insert the date directly into the database. Thanks for the time ------------------------------------------------------------------------ [2009-07-14 11:14:52] sjoerd-php at linuxonly dot nl The function checkdate() takes three integers as arguments. That means that if you pass it a string, it will be cast to an int. The string "1980 <script>alert('test');</script>" cast to an int will result in 1980. So checkdate("01", "01", "1980 <script>alert('test');</script>") is equivalent to checkdate(1, 1, 1980) This is not a bug in PHP, rather a limitation of checkdate: it assumes that you pass it numbers. You should check yourself that your input is numeric. ------------------------------------------------------------------------ [2009-07-13 20:54:59] arno dot zandink at gmail dot com hmm, indeed I changed my scripted at the last minute because I got a deprecated notice. My first test was as following: <?php $date = "01-01-1980 <script>alert('test');</script>"; $aDate_parts = split('-', $date); print_r($aDate_parts); var_dump( checkdate( $aDate_parts[1], // Month $aDate_parts[0], // Day $aDate_parts[2] // Year ) ); ?> This example will result in the following array: <?php Array ( [0] => 01 [1] => 01 [2] => 1980 <script>alert('test');</script> ) ?> And it will return a boolean (true) ------------------------------------------------------------------------ [2009-07-13 19:49:18] sjoerd-php at linuxonly dot nl Thank you for your bug report. Your example code can be summarized as follows: <?php var_dump(checkdate('01', '01', '1980')); ?> I would expect this to return true, because January 1st 1980 is a valid date. Why do you think it is an invalid date? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/48906 -- Edit this bug report at http://bugs.php.net/?id=48906&edit=1