php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #8449 register_globals=on and track_vars=on produce strange results for arrays
Submitted: 2000-12-28 02:49 UTC Modified: 2002-02-27 00:32 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:0 of 0 (0.0%)
From: omakarenko at cyberplat dot ru Assigned:
Status: Not a bug Package: Arrays related
PHP Version: 4.1.0RC1 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: omakarenko at cyberplat dot ru
New email:
PHP Version: OS:

 

 [2000-12-28 02:49 UTC] omakarenko at cyberplat dot ru 
I was trying to make the example as short as possible so it
looks stupid but it clearly demonstrates the problem. 

Two short examples o *correct* behaviour first:

Example 1:
<form action="bug.php?age=12" method=post>
<input type=text size=32 name=sname>
</form>

the form sets age using url path and sname using post. I could use cookies for age but the example longer. The idea is to simultaniously use several different methods to pass the variables. Nothing unusual here.

tarck_vars and register_globals are both on so in bug.php
I have access to $HTTP_GET_VARS[age],$HTTP_POST_VARS[sname] and to $age, $sname. I have no $HTTP_GET_VARS[sname] and $HTTP_POST_VARS[age] and I should not to. So far so good.

Example 2:
let's try the following:

<form action="bug.php?sname=Pupkin" method=post>
<input type=text size=32 name=sname value='Collins'>
</form>

I use the same variable name in both requests.
Now I have $HTTP_GET_VARS[sname] == 'Pupkin' and $HTTP_POST_VARS[sname]='Collins' and that is also correct and that is how can I check what method was used to pass the variable (the global $sname value depends on variables_order ofcourse)

Example 3: the bug

but let's put the variables into array:

<form action="bug?person[age]=12" method=post>
<input type=text size=32 name=person[sname]
</form>

Now I expect to have $person[age],$person[$sname] in my global space and $HTTP_POST_VARS[person][sname],
$HTTP_GET_VARS[person][age]... right?

The bug is that I also have both $HTTP_POST_VARS[person][age] and

$HTTP_GET_VARS[person][sname] defined...

Do you see the problem? person[age] has somehow propagated into $HTTP_POST_VARS while I had no person[age] in my post request... Now I have no way to find how was that variable passed to my script... If I have an person[id] defined in the cookie then I suddenly have also person[age] and person[sname] defined in HTTP_COOKIE_VARS and pesron[id] defined in both POST_VARS and GET_VARS!

looks like a bug for me.

Comments?

oleg

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-19 02:57 UTC] sniper@php.net 
This is fixed at least in PHP 4.0.6.
Maybe even earlier.

--Jani
 [2001-08-19 03:01 UTC] sniper@php.net 
Oops. I had register_globals=off in my php.ini. 
Then this works as expected. But when it is On, not.

--Jani
 [2001-10-21 01:27 UTC] sniper@php.net 
Reproduced also with PHP 4.1.0RC1

Here is the complete script for all the lazy developers
to try with:

form.php:
---------
<form action="form.php?person[age]=12" method=post>
<input type=text size=32 name=person[sname]
</form>
<br>
<?php

echo "HTTP_POST_VARS<br>";
print_r($HTTP_POST_VARS);
echo "<p>";
echo "HTTP_GET_VARS<br>";
print_r($HTTP_GET_VARS);
echo "<p>";
echo "_POST<br>";
print_r($_POST);
echo "<p>";
echo "_GET<br>";
print_r($_GET) 

?>
 [2002-02-26 22:58 UTC] rodif_bl@php.net 
I looked into this...
When you have register globals on it registers the
$person as a global array when parsing the get request it adds [age] to the global $person array then when the post requet is parsed then it finds the global array and adds the [sname] to the same array. So this is what should happen.

why are you using get and post requests...
why don't you just use 

<input type=hidden name=person[blah] value=blah>
 [2002-02-27 00:32 UTC] yohgaki@php.net 
We should get rid register_globals feature from PHP5 :)
(There is import_request_variable() for compatibility also)
 [2003-05-02 14:19 UTC] oregon at pobox dot com 
Why is this bug marked as Bogus?  It's absolutely a bug and it needs to be fixed because it's breaking correctly written scripts that worked in earlier PHP versions.  I'll re-submit it...
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 12:01:29 2025 UTC