PHP :: Request #4205 :: Setting internal vars with form var names dangerous!

Request #4205	Setting internal vars with form var names dangerous!
Submitted:	2000-04-20 14:19 UTC	Modified:	2000-04-20 14:47 UTC
From:	kai at jedi dot net	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	4.0 Release Candidate 1	OS:	Linux Red Hat 6.0
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kai at jedi dot net
New email:
PHP Version:		OS:

New Comment:

[2000-04-20 14:19 UTC] kai at jedi dot net

Having the HTTP POST data set vars in the page willy-nilly is exteremly dangerous.  You never know how something got set, and anyone who has seen the source could find a way to pass in malicious variables and values to your scripts.  Yes, initting vars carefully helps but...

A feature that allows us to have FORM vars appear ONLY in the global HTTP_POST_VARS array (and not set local variables as now) would be GREATLY appreciated.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-04-20 14:47 UTC] zeev at cvs dot php dot net

It already exists.  Turn off register_globals and turn on
track_vars.
Read the php.ini-dist file supplied with PHP 4.0RC1.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Sun Jun 14 17:00:01 2026 UTC