PHP :: Request #27572 :: Allowing characters other than [] to define arrays in POST or GET variables

Request #27572	Allowing characters other than [] to define arrays in POST or GET variables
Submitted:	2004-03-11 12:05 UTC	Modified:	2004-03-11 13:06 UTC
From:	marwan at marvonline dot org	Assigned:
Status:	Wont fix	Package:	Feature/Change Request
PHP Version:	Irrelevant	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	marwan at marvonline dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-03-11 12:05 UTC] marwan at marvonline dot org

Description:
------------
PHP registers HTML variables that look like arrays as array variables, which is pretty convenient for packaging form variables.

I'm building a form generator that utilizes this feature a lot. It uses it something like this:

for ($i=0; $i<count($data['ID']); $i++)
{
	echo "<input type=\"hidden\" name=\"data[ID][$i]\" value=\"{$data['ID'][$i]}\"> "
			."<input type=\"text\" name=\"data[Name][$i]\" value=\"{$data['Name'][$i]\"><br>\n";
}

The (slightly) annoying thing about this is that urlencoding the variable names replaces the '[' and ']' with three letter codes. If the arrays are large (as they typically are) this bloats the POST request quite a lot.

If PHP would consider the '.' as an array operator when registering GET and POST variables, it would improve matters. The '.' is urlencoded as a '.' with no charcter inflation. Further, it would only require one operator instead of two ([ and ]).

The code would then look like:
for ($i=0; $i<count($data['ID']); $i++)
{
	echo "<input type=\"hidden\" name=\"data.ID.$i\" value=\"{$data['ID'][$i]}\"> "
			."<input type=\"text\" name=\"data.Name.$i\" value=\"{$data['Name'][$i]\"><br>\n";
}

Since PHP forbids using the '.' in variable names anyway, this shouldn't affect much code. To be safe, an INI option could be made to switch this behaviour on and off.

As far as I can tell, the only function that would need to change would be php_register_variable_ex in main/php_variables.c

I would be quite willing to re-code the function and hand it to someone who has CVS access.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-03-11 12:35 UTC] derick@php.net

We use the [] everywhere for array accesses, we can't change it because it will break a lot of scripts, and by making it a switch you prevent people from writing portable scripts.

[2004-03-11 12:51 UTC] marwan at marvonline dot org

I just wanted to be clear that I'm only suggesting this when parsing variable names from POST and GET requests, not when accessing the array inside a script. Further, it can be done so that both [] and . can be used to delinate arrays so it wouldn't affect anyone except people who are passing variable names with a . in them, which PHP forbids anyway.

And making it a switch is as portable as magic_gpc switch.

I wrote up the necessary code if anyone's interested.

[2004-03-11 13:06 UTC] derick@php.net

Besides that you can work around the magic_gpc thing, I definitely agree that that should never have been part of PHP either.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 30 04:00:01 2025 UTC