php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #10918 $HTTP_POST_VARS incorrectly initialized.
Submitted: 2001-05-17 00:39 UTC Modified: 2001-10-15 03:08 UTC
From: bruce at causal dot com Assigned:
Status: Closed Package: Variables related
PHP Version: 4.0.6 OS: Linux 2.4.7
Private report: No CVE-ID: None
 [2001-05-17 00:39 UTC] bruce at causal dot com
Array variables acquired via the POST method do not appear in the $HTTP_POST_VARS array unless magic_quotes_gpc is DISABLED.

For example, if one uses a checkbox array named thus:

<input type="checkbox" name="fred[]" value="1">
<input type="checkbox" name="fred[]" value="2">
<input type="checkbox" name="fred[]" value="3">

an array variable called $fred will appear in the global namespace (assuming register_globals is ON). The same array variable should also appear as $HTTP_POST_VARS["fred"] (assuming track_vars is ON).

The BUG results in $HTTP_POST_VARS["fred'] appearing, but not as an array variable. That is, is_array($HTTP_POST_VARS["fred"]) returns FALSE. Further, the value of $HTTP_POST_VARS["fred"] is the string literal "Array" which curiously is the same string returned when an array variable is accessed in a scalar context.

If magic_quotes_qpc is DISABLED, this problem vanishes and the value of $HTTP_POST_VARS["fred"] is the anticipated array of values of selected checkboxes.

It looks to me like PHP4 is storing the result of a scalar access to the array variable $fred in $HTTP_POST_VARS["fred"] when magic_quotes_gpc is enabled. I think this qualifies as a bug.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-05-23 02:14 UTC] sniper@php.net
I'm unable to reproduce this with PHP 4.0.6RC1.
Please try it: http://www.php.net/~andi/php-4.0.6RC1.tar.gz

And also, replace your php.ini with the php.ini-dist that
comes with the package. Then change the appropriate directives.

--Jani

 [2001-06-12 17:19 UTC] sniper@php.net
No feedback, considered fixed.

 [2001-09-24 03:49 UTC] bruce at causal dot com
It appears this problem as I described earlier does exists in PHP 4.0.6.
 [2001-10-15 03:08 UTC] bruce at causal dot com
Mea Culpa. 

The problem was caused by a PHP script designed to strip slashes from $HTTP_POST_VARS when magic_quotes_gpc are enabled but unwanted (ie, in situations where one does not have the authority to turn magic_quotes_gpc off). 

It simply applied stripslashes() to each element of $HTTP_POST_VARS but this is not enough as a POST variable may be an array.

This was indeed the case in my checkbox example.

I have since written this function to stripslashes correctly (it works "in place", caveat emptor):

function & stripallslashes ( &$variable ) {
 // strip slashes recursively (works around magic_quotes_gpc)
    if ( gettype($variable) == "array" ) {
        reset($variable);
        while ( list($key,$value) = each($variable) )
            $variable[$key] = stripallslashes($value);
        return $variable;
    } elseif ( gettype($variable) == "string" )
          return stripslashes( $variable );
    else return $variable;
}

Applied to HTTP_POST_VARS thus:

   stripslashes($HTTP_POST_VARS);

resolves the problems I was having.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC