PHP :: Bug #10918 :: $HTTP_POST_VARS incorrectly initialized.

Bug #10918	$HTTP_POST_VARS incorrectly initialized.
Submitted:	2001-05-17 00:39 UTC	Modified:	2001-10-15 03:08 UTC
From:	bruce at causal dot com	Assigned:
Status:	Closed	Package:	Variables related
PHP Version:	4.0.6	OS:	Linux 2.4.7
Private report:	No	CVE-ID:	None

View Developer Edit

[2001-05-17 00:39 UTC] bruce at causal dot com

Array variables acquired via the POST method do not appear in the $HTTP_POST_VARS array unless magic_quotes_gpc is DISABLED.

For example, if one uses a checkbox array named thus:

<input type="checkbox" name="fred[]" value="1">
<input type="checkbox" name="fred[]" value="2">
<input type="checkbox" name="fred[]" value="3">

an array variable called $fred will appear in the global namespace (assuming register_globals is ON). The same array variable should also appear as $HTTP_POST_VARS["fred"] (assuming track_vars is ON).

The BUG results in $HTTP_POST_VARS["fred'] appearing, but not as an array variable. That is, is_array($HTTP_POST_VARS["fred"]) returns FALSE. Further, the value of $HTTP_POST_VARS["fred"] is the string literal "Array" which curiously is the same string returned when an array variable is accessed in a scalar context.

If magic_quotes_qpc is DISABLED, this problem vanishes and the value of $HTTP_POST_VARS["fred"] is the anticipated array of values of selected checkboxes.

It looks to me like PHP4 is storing the result of a scalar access to the array variable $fred in $HTTP_POST_VARS["fred"] when magic_quotes_gpc is enabled. I think this qualifies as a bug.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-05-23 02:14 UTC] sniper@php.net

I'm unable to reproduce this with PHP 4.0.6RC1.
Please try it: http://www.php.net/~andi/php-4.0.6RC1.tar.gz

And also, replace your php.ini with the php.ini-dist that
comes with the package. Then change the appropriate directives.

--Jani

[2001-06-12 17:19 UTC] sniper@php.net

No feedback, considered fixed.

[2001-09-24 03:49 UTC] bruce at causal dot com

It appears this problem as I described earlier does exists in PHP 4.0.6.

[2001-10-15 03:08 UTC] bruce at causal dot com

Mea Culpa. 

The problem was caused by a PHP script designed to strip slashes from $HTTP_POST_VARS when magic_quotes_gpc are enabled but unwanted (ie, in situations where one does not have the authority to turn magic_quotes_gpc off). 

It simply applied stripslashes() to each element of $HTTP_POST_VARS but this is not enough as a POST variable may be an array.

This was indeed the case in my checkbox example.

I have since written this function to stripslashes correctly (it works "in place", caveat emptor):

function & stripallslashes ( &$variable ) {
 // strip slashes recursively (works around magic_quotes_gpc)
    if ( gettype($variable) == "array" ) {
        reset($variable);
        while ( list($key,$value) = each($variable) )
            $variable[$key] = stripallslashes($value);
        return $variable;
    } elseif ( gettype($variable) == "string" )
          return stripslashes( $variable );
    else return $variable;
}

Applied to HTTP_POST_VARS thus:

   stripslashes($HTTP_POST_VARS);

resolves the problems I was having.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 16:00:01 2025 UTC