Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
function date_validate($form) {
if (!checkdate($form['#value']['month'], $form['#value']['day'], $form['#value']['year'])) {
form_error($form, t('The specified date is invalid.'));
}
}
checkdate() requires integer parameters, otherwise it fails with something like
checkdate() expects parameter 1 to be long, string given
I don't know how he did it, but a user has managed to produce this error on a D6 site by submitting user/register. So we should probably use is_int() on all three values before passing them on to checkdate().
Comment | File | Size | Author |
---|---|---|---|
#12 | drupal-typecast-checkdate-480366-12.patch | 611 bytes | joelstein |
#2 | date_validate.patch | 1.2 KB | casey |
Comments
Comment #2
casey CreditAttribution: casey commentedI think you have strict error reporting enabled. A cast to (int) would do I think.
Comment #3
casey CreditAttribution: casey commentedsorry patch contains also 2 whitespace@endofline removals
Comment #4
salvisNo, this showed up in the watchdog log on a production site with a normal distribution tarball installed. If you run
in Devel's Execute PHP block, you'll get that result.
Casting to int does avoid the error, at least on my system, which is running PHP 5.2.6. But will it work for all PHP versions and everything that gets thrown at it? The PHP doc (http://ch2.php.net/manual/en/language.types.integer.php#language.types.i...) is very vague about this, but it explicitely warns against trying to convert unknown types to int:
Rather than trying to cast to an int, would it be unreasonable to require ints, i.e. to use is_int() on the parameters and to reject anything else?
Comment #5
Dries CreditAttribution: Dries commentedThe patch fixes the symptoms, but might not fix the real cause. I'd like to see if we can identify the cause first.
Comment #6
salvisI have no idea about the cause. As I wrote in the OP I found it in a watchdog entry for the user/register page. It may have been a hacking attempt, but it was an isolated occurrence.
Comment #7
casey CreditAttribution: casey commentedI think it's just because form input is not strictly checked ('12' == 12, instead of '12' === 12), so _form_validate() passes (uses isset() which also doesn't check strictly).
checkdate() however seems to check its arguments strictly by type.
Comment #8
salvisNo,
echo checkdate('1', 2, 3);
works just fine and returns 1, at least on my installation.
Comment #9
MichaelCole CreditAttribution: MichaelCole commented#2: date_validate.patch queued for re-testing.
Comment #11
xaris.tsimpouris CreditAttribution: xaris.tsimpouris commentedWhy not using "@" with type-casting? No errors, job done.. not everybody happy?
Comment #12
joelstein CreditAttribution: joelstein as a volunteer commentedWe saw this issue in Webform (#2831514: Warning: checkdate() expects parameter 3 to be long, string given in webform_validate_date()) and I think we should cast the variables to int to prevent this error. checkdate() will still return FALSE if an invalid date value like "n/a" is given, but it will do so quietly. Here's an updated patch. Does this also need a test?