php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76255 parse_str() does not replace control characters
Submitted: 2018-04-23 18:26 UTC Modified: 2021-09-24 16:05 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: alex dot a dot pott at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: URL related
PHP Version: 7.2.4 OS: OS X & Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alex dot a dot pott at gmail dot com
New email:
PHP Version: OS:

 

 [2018-04-23 18:26 UTC] alex dot a dot pott at gmail dot com 
Description:
------------
If you manually extract the query string from http://example.com?foo=bar&\x00foo=bar2&foo=bar3 and then use parse_str() on the result it is different than if you use parse_url() and then parse_str(). This is loosely related to https://bugs.php.net/bug.php?id=66976.

Test script:
---------------
$url = "http://example.com?foo=bar&\x00foo=bar2&foo=bar3";
list($path, $query_string) = explode('?', $url, 2);
// Use parse_url() and then parse_str()
$parts = parse_url($url);
parse_str($parts['query'], $parsed_qs);
var_dump($parsed_qs);
// Ouptput: array(2) {
//  ["foo"]=>
//  string(4) "bar3"
//  ["_foo"]=>
//  string(4) "bar2"
//}

// Use parse_str()
parse_str($query_string, $parsed_qs);
var_dump($parsed_qs);
// Output: array(1) {
//  ["foo"]=>
//  string(3) "bar"
// }

Expected result:
----------------
I expect the second result to be the same as the first.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-28 16:47 UTC] duncan3dc@php.net 
A null character isn't valid in a URL is it? Shouldn't it be encoded as %00 ?
 [2019-04-28 17:03 UTC] spam2 at rhsoft dot net 
you souldn't pass random, unsanitized input to any function except one designed to sanitize input
 [2021-09-24 16:05 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2021-09-24 16:05 UTC] cmb@php.net 
parse_url() deliberately replaces control characters with
underscores, while parse_str() does not.  While that may appear to
be inconsistent given the similar function names, it is important
to note that parse_url() is a URL function, while parse_str() is a
string function.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 02:01:36 2025 UTC