php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #25231 Strange $_GET/$_POST Behaviour
Submitted: 2003-08-25 00:39 UTC Modified: 2003-08-25 20:45 UTC
From: tim at zero-interactive dot com Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.3.3 OS: Win2K Pro
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tim at zero-interactive dot com
New email:
PHP Version: OS:

 

 [2003-08-25 00:39 UTC] tim at zero-interactive dot com 
Description:
------------
I'm pretty sure this is wrong, feel free to correct me if it is.

Basically if you POST form data from a form that has its action set to "upload.php?action=add", you get both _GET and _POST data accessible to your script.

It "seems" that the $_GET arrays is not respecting the HTTP headers sent by the browser and is getting its data by blindly parsing the url.  Shouldn't it first check the headers sent to see if it was sent with the GET method?


Reproduce code:
---------------
The headers that my browser sent are as follows:

http://192.168.4.105:8080/gallery/upload.php?action=add

POST /gallery/upload.php?action=add HTTP/1.1
Host: 192.168.4.105:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate,compress;q=0.9
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.4.105:8080/gallery/upload.php
Content-Type: multipart/form-data; boundary=---------------------------265001916915724
Content-Length: 1588
-----------------------------265001916915724
Content-Disposition: form-data; name="category"

2
-----------------------------265001916915724
Content-Disposition: form-data; name="photo_filename[]"; filename=""
Content-Type: application/octet-stream


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_caption[]"


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_filename[]"; filename=""
Content-Type: application/octet-stream


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_caption[]"


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_filename[]"; filename=""
Content-Type: application/octet-stream


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_caption[]"


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_filename[]"; filename=""
Content-Type: application/octet-stream


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_caption[]"


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_filename[]"; filename=""
Content-Type: application/octet-stream


-----------------------------265001916915724
Content-Disposition: form-data; name="photo_caption[]"


-----------------------------265001916915724
Content-Disposition: form-data; name="addPhotos"

Add Photos
-----------------------------265001916915724--

HTTP/1.x 200 OK
Date: Mon, 25 Aug 2003 05:14:35 GMT
Server: Apache/2.0.44 (Win32) PHP/4.3.0
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1
----------------------------------------------------------

Expected result:
----------------
I would have expected to get the action variable from parsing the url of the script rather than through the $_GET array.  Seeing as only a POST HTTP header was sent and not a GET HTTP header, I wouldn't have expected to see anything at all in the $_GET array and definitely not a combination of both in $_REQUEST.

The result of a print_r on $_GET, $_POST and $_REQUEST should be as follows:

$_GET
-----
Array
(
)

$_POST
------
Array
(
    [category] => 2
    [photo_caption] => Array
        (
            [0] => 
            [1] => 
            [2] => 
            [3] => 
            [4] => 
        )

    [addPhotos] => Add Photos
)

$_REQUEST
---------
Array
(
    [category] => 2
    [photo_caption] => Array
        (
            [0] => 
            [1] => 
            [2] => 
            [3] => 
            [4] => 
        )

    [addPhotos] => Add Photos
)


Actual result:
--------------
The result that I ot back was this:

$_GET
-----
Array
(
    [action] => add
)

$_POST
------
Array
(
    [category] => 2
    [photo_caption] => Array
        (
            [0] => 
            [1] => 
            [2] => 
            [3] => 
            [4] => 
        )

    [addPhotos] => Add Photos
)

$_REQUEST
---------
Array
(
    [action] => add
    [category] => 2
    [photo_caption] => Array
        (
            [0] => 
            [1] => 
            [2] => 
            [3] => 
            [4] => 
        )

    [addPhotos] => Add Photos
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-25 12:24 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2003-08-25 18:47 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is the correct behaviour.
 [2003-08-25 18:54 UTC] tim at zero-interactive dot com 
I dont understand how this can be correct behaviour.  There is never a GET header sent with the request, so this means that the $_GET array should not be populated.  If you have a close look at the HTTP headers that I've captured, there is only a POST request header sent and not a GET request header.
 [2003-08-25 18:59 UTC] sniper@php.net 
This is called FEATURE..it's definately NOT bug.
Please ask support questions elsewhere..
 [2003-08-25 19:37 UTC] tim at zero-interactive dot com 
No need to get nasty.  I wasn't asking for help, was only reporting behaviour which I believe to be incorrect (which is what this site exists for).  If you say its a feature, then fine, I'll take your word for it even though none of you have bothered to explain why it is correct.

Your "feature" is however inconsistent in the way that it works.  If I change the form method to GET instead of POST, then I only get some of the information sent back in the GET array.  Namely, only the data in the input fields in the form and not the data in the query part of the action uri.

If you have no intention of fixing what I believe to be wrong, then at the very least change the documentation in the manual to reflect this undocumented (that I know of) feature:

Except from online manual (Predefined variables page):
$_GET
Variables provided to the script via HTTP GET. Analogous to the old $HTTP_GET_VARS array (which is still available, but deprecated). 

$_POST
Variables provided to the script via HTTP POST. Analogous to the old $HTTP_POST_VARS array (which is still available, but deprecated). 


You will note that it says "provided to the script via HTTP GET".  I just proved to you that you can get data in the $_GET array with a HTTP POST as demonstrated by the headers I captured.  This means that either the engine is wrong or the documentation is wrong.  Which one is it?
 [2003-08-25 20:20 UTC] sniper@php.net 
You should also try with PHP 4.3.3 which was released today (yesterday for some). Neither PHP/documentation is wrong.
 [2003-08-25 20:37 UTC] tim at zero-interactive dot com 
What's the point in testing it with 4.3.3?  The behaviour is the same for 4.3.2 and 4.3.4-dev (previously recommended by Ilia).

You guys obviously aren't going to change anything regardless of what I say or attempt to prove to you.  You definitely dont seemed to be concerned with justifying to me why this behaviour is correct either or how the documentation and php are considered correct yet they conflict.

I've followed the rules are far as what to submit and how to submit it.  I've also justified my reasons with physical test results, data captures etc.  As far as I'm concerned, marking something as bogus and just stating its right over and over again when evidence to the contrary is in front of you is wrong.

If you can give me a good reason as to why this behaviour is considered correct and how the docs and php are both considered correct on this issue I will drop this immediately.

I appreciate the fact that you guys are volunteers on this project, but the better the answer you supply to us, especially when we've tried our best to supply you with data, can only result in less duplication in future and maybe less reports relating to so called undocumented features.  A simple explanation the first time would have stopped me from replying and dragging this out.
 [2003-08-25 20:45 UTC] sniper@php.net 
I missed the part where Ilia asked to try the snapshot. And you failed to update the last version too. :-p

Anyway, it's a feature that you can get both POST and GET in same request, get over it.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 20 03:01:32 2024 UTC