php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #10918 $HTTP_POST_VARS incorrectly initialized.
Submitted: 2001-05-17 00:39 UTC Modified: 2001-10-15 03:08 UTC
From: bruce at causal dot com Assigned:
Status: Closed Package: Variables related
PHP Version: 4.0.6 OS: Linux 2.4.7
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bruce at causal dot com
New email:
PHP Version: OS:

 

 [2001-05-17 00:39 UTC] bruce at causal dot com 
Array variables acquired via the POST method do not appear in the $HTTP_POST_VARS array unless magic_quotes_gpc is DISABLED.

For example, if one uses a checkbox array named thus:

<input type="checkbox" name="fred[]" value="1">
<input type="checkbox" name="fred[]" value="2">
<input type="checkbox" name="fred[]" value="3">

an array variable called $fred will appear in the global namespace (assuming register_globals is ON). The same array variable should also appear as $HTTP_POST_VARS["fred"] (assuming track_vars is ON).

The BUG results in $HTTP_POST_VARS["fred'] appearing, but not as an array variable. That is, is_array($HTTP_POST_VARS["fred"]) returns FALSE. Further, the value of $HTTP_POST_VARS["fred"] is the string literal "Array" which curiously is the same string returned when an array variable is accessed in a scalar context.

If magic_quotes_qpc is DISABLED, this problem vanishes and the value of $HTTP_POST_VARS["fred"] is the anticipated array of values of selected checkboxes.

It looks to me like PHP4 is storing the result of a scalar access to the array variable $fred in $HTTP_POST_VARS["fred"] when magic_quotes_gpc is enabled. I think this qualifies as a bug.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-05-23 02:14 UTC] sniper@php.net 
I'm unable to reproduce this with PHP 4.0.6RC1.
Please try it: http://www.php.net/~andi/php-4.0.6RC1.tar.gz

And also, replace your php.ini with the php.ini-dist that
comes with the package. Then change the appropriate directives.

--Jani
 [2001-06-12 17:19 UTC] sniper@php.net 
No feedback, considered fixed.
 [2001-09-24 03:49 UTC] bruce at causal dot com 
It appears this problem as I described earlier does exists in PHP 4.0.6.
 [2001-10-15 03:08 UTC] bruce at causal dot com 
Mea Culpa. 

The problem was caused by a PHP script designed to strip slashes from $HTTP_POST_VARS when magic_quotes_gpc are enabled but unwanted (ie, in situations where one does not have the authority to turn magic_quotes_gpc off). 

It simply applied stripslashes() to each element of $HTTP_POST_VARS but this is not enough as a POST variable may be an array.

This was indeed the case in my checkbox example.

I have since written this function to stripslashes correctly (it works "in place", caveat emptor):

function & stripallslashes ( &$variable ) {
 // strip slashes recursively (works around magic_quotes_gpc)
    if ( gettype($variable) == "array" ) {
        reset($variable);
        while ( list($key,$value) = each($variable) )
            $variable[$key] = stripallslashes($value);
        return $variable;
    } elseif ( gettype($variable) == "string" )
          return stripslashes( $variable );
    else return $variable;
}

Applied to HTTP_POST_VARS thus:

   stripslashes($HTTP_POST_VARS);

resolves the problems I was having.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 28 10:01:29 2024 UTC