[wp-trac] [WordPress Trac] #16867: Where is it appropriate to use filter_var
WordPress Trac
noreply at wordpress.org
Thu May 12 01:22:51 UTC 2022
#16867: Where is it appropriate to use filter_var
---------------------------+-----------------------
Reporter: aaroncampbell | Owner: (none)
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: General | Version: 3.2
Severity: normal | Resolution:
Keywords: westi-likes | Focuses:
---------------------------+-----------------------
Comment (by dd32):
I don't have a strong opinion right now - I don't know how stable the
functions are in PHP 7+ as most of my experience with it was back with PHP
5.x.
If `filter_var()`'s implementation for a given 'thing' is stable and
hasn't had any major bug fixes since the lowest PHP supported by WP, and
isn't dependant upon modules that may not be compiled into all PHPs, then
I see no harm in using it where appropriate.. but there can be security
implications of relying upon it if PHP only fixed something in their
supported branches. It can also make back-porting things to older WP's
harder where they run on older versions of PHP as a result.
Here's some quick examples I pulled up, where an implementation in pure-
PHP might be a better option
- https://pwning.systems/posts/php_filter_var_shenanigans/ +
https://github.com/php/php-
src/commit/771dbdb319fa7f90584f6b2cc2c54ccff570492d (2022; could have
security implications)
- https://github.com/php/php-src/pull/6573 (2021; Where it's only fixed
in PHP8+, although an unlikely code branch to used in WP, or unlikely to
cause issues if so, but a change-in-behaviour between PHP versions)
- https://bugs.php.net/bug.php?id=71745 (2016; Unsure if this was fixed
in other versions, but this is an example of where using it for security
can have unexpected bypasses)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16867#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list