PHP :: Bug #18088 :: $_GET variables are improper set when POST form submittion follows GET method

Bug #18088	$_GET variables are improper set when POST form submittion follows GET method
Submitted:	2002-07-01 09:07 UTC	Modified:	2002-07-01 09:52 UTC
From:	gryaznov at guta dot ru	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.2.1	OS:	Win2K (at least)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gryaznov at guta dot ru
New email:
PHP Version:		OS:

New Comment:

[2002-07-01 09:07 UTC] gryaznov at guta dot ru

Here is the test (file test.php):

<HTML>
<BODY>
<FORM NAME=test.php METHOD=GET>
<INPUT TYPE=HIDDEN NAME=start value=1>
<INPUT TYPE=SUBMIT VALUE=SET>
</FORM>
<FORM NAME=test.php METHOD=POST>
<INPUT TYPE=SUBMIT VALUE=NOTSET>
</FORM>
<BR>
start value is: <?php echo $start ?><BR>
</BODY>
</HTML>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-07-01 09:32 UTC] sniper@php.net

This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET
array. 

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off

[2002-07-01 09:52 UTC] hholzgra@php.net

guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...

[2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com

In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!

Thus:

<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm

[2004-06-04 16:51 UTC] papercrane at reversefold dot com

Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC