[wp-trac] [WordPress Trac] #16867: Where is it appropriate to use filter_var

WordPress Trac noreply at wordpress.org
Thu May 12 01:22:51 UTC 2022

#16867: Where is it appropriate to use filter_var
 Reporter:  aaroncampbell  |       Owner:  (none)
     Type:  enhancement    |      Status:  reopened
 Priority:  normal         |   Milestone:
Component:  General        |     Version:  3.2
 Severity:  normal         |  Resolution:
 Keywords:  westi-likes    |     Focuses:

Comment (by dd32):

 I don't have a strong opinion right now - I don't know how stable the
 functions are in PHP 7+ as most of my experience with it was back with PHP

 If `filter_var()`'s implementation for a given 'thing' is stable and
 hasn't had any major bug fixes since the lowest PHP supported by WP, and
 isn't dependant upon modules that may not be compiled into all PHPs, then
 I see no harm in using it where appropriate.. but there can be security
 implications of relying upon it if PHP only fixed something in their
 supported branches. It can also make back-porting things to older WP's
 harder where they run on older versions of PHP as a result.

 Here's some quick examples I pulled up, where an implementation in pure-
 PHP might be a better option
  - https://pwning.systems/posts/php_filter_var_shenanigans/ +
 src/commit/771dbdb319fa7f90584f6b2cc2c54ccff570492d (2022; could have
 security implications)
  - https://github.com/php/php-src/pull/6573  (2021; Where it's only fixed
 in PHP8+, although an unlikely code branch to used in WP, or unlikely to
 cause issues if so, but a change-in-behaviour between PHP versions)
  - https://bugs.php.net/bug.php?id=71745 (2016; Unsure if this was fixed
 in other versions, but this is an example of where using it for security
 can have unexpected bypasses)

Ticket URL: <https://core.trac.wordpress.org/ticket/16867#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list