PHP :: Request #40224 :: Could PHP leave superglobal array indices alone?

Could PHP leave superglobal array indices alone?

Submitted:

2007-01-24 20:09 UTC

Modified:

2008-01-02 15:02 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

joem at tempomg dot com

Assigned:

Status:

Wont fix

Package:

Feature/Change Request

PHP Version:

5.2.0

OS:

redhat linux

Private report:

CVE-ID:

None

View Developer Edit

[2007-01-24 20:09 UTC] joem at tempomg dot com

Description:
------------
I think it would make more sense if PHP only replaced '.' and ' ' with '_' when register_globals is turned on, and only for the variables that are registered in the global scope, leaving the superglobals' index names as they are.

I understand that variable names can't have '.' or ' ' in them, however it seems that most people use the $_POST['variablename'] method of accessing external variables, and in this case, the spaces and dots make no difference.

I could find practically no reference to this behavior in the manual, other than a couple notes I submitted.  At the very least, the fact that these characters are replaced should be made more obvious in the manual under "Predefined Variables" at http://us2.php.net/manual/en/language.variables.predefined.php and http://us2.php.net/manual/en/reserved.variables.php

Reproduce code:
---------------
<form method="post">
  <input name="title for page3.php" type="text">
  <input type="submit">
</form>

Title submitted:
<?php
  if (count($_POST) > 0)
    echo $_POST['title for page3.php'];
?>

Expected result:
----------------
I expect to see the title I submitted print out.

Actual result:
--------------
The POST key 'title for page3.php' is changed to 'title_for_page3_php', and nothing prints out.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-12-31 23:15 UTC] michael at chunkycow dot com dot au

G'day

Why dont you just call it 'title' then:

<?
if(!empty($_POST['title']))
  echo $_POST['title'];
?>

you can even make them an array eg.

<form method="post">
  <input name="title[]" type="text">
  <input type="submit">
</form>

<?
if( (!empty($_POST['title'])) && is_array($_POST['title']))
{
  foreach($_POST['title'] AS $title)
    echo $title,'<br>';
}
?>

You should be escaping the output for real life code but I'm sure you knew that ;)

[2008-01-01 16:24 UTC] johannes@php.net

This can't be fixed without breaking application relying on that feature.

[2008-01-02 15:02 UTC] joem at tempomg dot com

If, aside from backward compatibility, there are no disadvantages to fixing this bug, wouldn't it be easy enough to have both versions of the variable in the superglobal array to make the fix backward compatible?

Also, in response to Michael: right, the sample code is not real life code obviously :)  The reason I am using variable names with spaces and periods is that the variable names are autogenerated based on page titles and filenames.  I figured out a way around it easily enough - after I figured out what was happening.  But it took me a while to figure it out with the documentation not mentioning it!

I just think if there's no reason not to, it would sure make things easier to keep the indices unaltered whenever possible.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Dec 04 06:00:01 2025 UTC