|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #11450 Retrieving cookies in MSIE 5.0 returns an Apache Error 500 page
Submitted: 2001-06-12 20:52 UTC Modified: 2001-06-13 10:59 UTC
From: macfreak at adelphia dot net Assigned:
Status: Not a bug Package: Apache related
PHP Version: 4.0.5 OS: Windows 98 Second Edition
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: macfreak at adelphia dot net
New email:
PHP Version: OS:


 [2001-06-12 20:52 UTC] macfreak at adelphia dot net
PHP.ini file:

; $Id: php.ini-dist,v 2001/04/22 11:58:49 phanto 
Exp $


; About this file ;


; This file controls many aspects of PHP's behavior.  In 
order for PHP to

; read it, it must be named 'php.ini'.  PHP looks for it 
in the current

; working directory, in the path designated by the 
environment variable

; PHPRC, and in the path that was defined in compile time 
(in that order).

; Under Windows, the compile-time path is the Windows 
directory.  The

; path in which the php.ini file is looked for can be 
overriden using

; the -c argument in command line mode.


; The syntax of the file is extremely simple.  Whitespace 
and Lines

; beginning with a semicolon are silently ignored (as you 
probably guessed).

; Section headers (e.g. [Foo]) are also silently ignored, 
even though

; they might mean something in the future.


; Directives are specified using the following syntax:

; directive = value

; Directive names are *case sensitive* - foo=bar is 
different from FOO=bar.


; The value can be a string, a number, a PHP constant 
(e.g. E_ALL or M_PI), one

; of the INI constants (On, Off, True, False, Yes, No and 
None) or an expression

; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").


; Expressions in the INI file are limited to bitwise 
operators and parentheses:

; |        bitwise OR

; &        bitwise AND

; ~        bitwise NOT

; !        boolean NOT


; Boolean flags can be turned on using the values 1, On, 
True or Yes.

; They can be turned off using the values 0, Off, False or 


; An empty string can be denoted by simply not writing 
anything after the equal

; sign, or by using the None keyword:


;  foo =         ; sets foo to an empty string

;  foo = none    ; sets foo to an empty string

;  foo = "none"  ; sets foo to the string 'none'


; If you use constants in your value, and these constants 
belong to a

; dynamically loaded extension (either a PHP extension or 
a Zend extension),

; you may only use these constants *after* the line that 
loads the extension.


; All the values in the php.ini-dist file correspond to 
the builtin

; defaults (that is, if no php.ini is used, or if you 
delete these lines,

; the builtin defaults will be identical).


; Language Options ;


; Enable the PHP scripting language engine under Apache.

engine = On

; Allow the <? tag.  Otherwise, only <?php and <script> 
tags are recognized.

short_open_tag = On

; Allow ASP-style <% %> tags.

asp_tags = Off

; The number of significant digits displayed in floating 
point numbers.

precision    =  14

; Enforce year 2000 compliance (will cause problems with 
non-compliant browsers)

y2k_compliance = on

; Output buffering allows you to send header lines 
(including cookies) even

; after you send body content, at the price of slowing 
PHP's output layer a

; bit.  You can enable output buffering during runtime by 
calling the output

; buffering functions.  You can also enable output 
buffering for all files by

; setting this directive to On.

output_buffering = On

; You can redirect all of the output of your scripts to a 
function.  For

; example, if you set output_handler to "ob_gzhandler", 
output will be

; transparently compressed for browsers that support gzip 
or deflate encoding.

; Setting an output handler automatically turns on output 

output_handler =

; Transparent output compression using the zlib library

; Valid values for this option are 'off', 'on', or a 
specific buffer size

; to be used for compression (default is 4KB)

zlib.output_compression = Off

; Implicit flush tells PHP to tell the output layer to 
flush itself

; automatically after every output block.  This is 
equivalent to calling the

; PHP function flush() after each and every call to 
print() or echo() and each

; and every HTML block.  Turning this option on has 
serious performance

; implications and is generally recommended for debugging 
purposes only.

implicit_flush = Off

; Whether to enable the ability to force arguments to be 
passed by reference

; at function call time.  This method is deprecated and is 
likely to be

; unsupported in future versions of PHP/Zend.  The 
encouraged method of

; specifying which arguments should be passed by reference 
is in the function

; declaration.  You're encouraged to try and turn this 
option Off and make

; sure your scripts work properly with it in order to 
ensure they will work

; with future versions of the language (you will receive a 
warning each time

; you use this feature, and the argument will be passed by 
value instead of by

; reference).

allow_call_time_pass_reference = On


; Safe Mode


safe_mode = Off

safe_mode_exec_dir =

; Setting certain environment variables may be a potential 
security breach.

; This directive contains a comma-delimited list of 
prefixes.  In Safe Mode,

; the user may only alter environment variables whose 
names begin with the

; prefixes supplied here.  By default, users will only be 
able to set

; environment variables that begin with PHP_ (e.g. 


; Note:  If this directive is empty, PHP will let the user 
modify ANY

; environment variable!

safe_mode_allowed_env_vars = PHP_

; This directive contains a comma-delimited list of 
environment variables that

; the end user won't be able to change using putenv().  
These variables will be

; protected even if safe_mode_allowed_env_vars is set to 
allow to change them.

safe_mode_protected_env_vars = LD_LIBRARY_PATH

; This directive allows you to disable certain functions 
for security reasons.

; It receives a comma-deliminated list of function names.  
This directive is

; *NOT* affected by whether Safe Mode is turned On or Off.

disable_functions =

; Colors for Syntax Highlighting mode.  Anything that's 
acceptable in

; <font color="??????"> would work.

highlight.string  = #CC0000

highlight.comment = #FF9900

highlight.keyword = #006600      = #FFFFFF

highlight.default = #0000CC

highlight.html    = #000000


; Misc


; Decides whether PHP may expose the fact that it is 
installed on the server

; (e.g. by adding its signature to the Web server header).  
It is no security

; threat in any way, but it makes it possible to determine 
whether you use PHP

; on your server or not.

expose_php = On


; Resource Limits ;


max_execution_time = 30     ; Maximum execution time of 
each script, in seconds

memory_limit = 8M      ; Maximum amount of memory a script 
may consume (8MB)


; Error handling and logging ;


; error_reporting is a bit-field.  Or each number up to 
get desired error

; reporting level

; E_ALL             - All errors and warnings

; E_ERROR           - fatal run-time errors

; E_WARNING         - run-time warnings (non-fatal errors)

; E_PARSE           - compile-time parse errors

; E_NOTICE          - run-time notices (these are warnings 
which often result

;                     from a bug in your code, but it's 
possible that it was

;                     intentional (e.g., using an 
uninitialized variable and

;                     relying on the fact it's 
automatically initialized to an

;                     empty string)

; E_CORE_ERROR      - fatal errors that occur during PHP's 
initial startup

; E_CORE_WARNING    - warnings (non-fatal errors) that 
occur during PHP's

;                     initial startup

; E_COMPILE_ERROR   - fatal compile-time errors

; E_COMPILE_WARNING - compile-time warnings (non-fatal 

; E_USER_ERROR      - user-generated error message

; E_USER_WARNING    - user-generated warning message

; E_USER_NOTICE     - user-generated notice message


; Examples:


;   - Show all errors, except for notices


;error_reporting = E_ALL & ~E_NOTICE


;   - Show only errors




;   - Show all errors except for notices


error_reporting  =  E_ALL & ~E_NOTICE

; Print out errors (as a part of the output).  For 
production web sites,

; you're strongly encouraged to turn this feature off, and 
use error logging

; instead (see below).  Keeping display_errors enabled on 
a production web site

; may reveal security information to end users, such as 
file paths on your Web

; server, your database schema or other information.

display_errors = On

; Even when display_errors is on, errors that occur during 
PHP's startup

; sequence are not displayed.  It's strongly recommended 
to keep

; display_startup_errors off, except for when debugging.

display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, 
or error_log (below))

; As stated above, you're strongly advised to use error 
logging in place of

; error displaying on production web sites.

log_errors = Off

; Store the last error/warning message in $php_errormsg 

track_errors = Off

; String to output before an error message.

;error_prepend_string = "<font color=ff0000>"

; String to output after an error message.

;error_append_string = "</font>"

; Log errors to specified file.

;error_log = filename

; Log errors to syslog (Event Log on NT, not valid in 
Windows 95).

;error_log = syslog

; Warn if the + operator is used with strings.

warn_plus_overloading = Off


; Data Handling ;



; Note - track_vars is ALWAYS enabled as of PHP 4.0.3

; The separator used in PHP generated URLs to separate 

; Default is "&". 

;arg_separator.output = "&amp;"

; List of separator(s) used by PHP to parse input URLs 
into variables.

; Default is "&". 

; NOTE: Every character in this directive is considered as 

;arg_separator.input = ";&"

; This directive describes the order in which PHP 
registers GET, POST, Cookie,

; Environment and Built-in variables (G, P, C, E & S 
respectively, often

; referred to as EGPCS or GPC).  Registration is done from 
left to right, newer

; values override older values.

variables_order = "EGPCS"

; Whether or not to register the EGPCS variables as global 
variables.  You may

; want to turn this off if you don't want to clutter your 
scripts' global scope

; with user data.  This makes most sense when coupled with 
track_vars - in which

; case you can access all of the GPC variables through the 

; variables.


; You should do your best to write your scripts so that 
they do not require

; register_globals to be on;  Using form variables as 
globals can easily lead

; to possible security problems, if the code is not very 
well thought of.

register_globals = On

; This directive tells PHP whether to declare the 
argv&argc variables (that

; would contain the GET information).  If you don't use 
these variables, you

; should turn it off for increased performance.

register_argc_argv = On

; Maximum size of POST data that PHP will accept.

post_max_size = 8M

; This directive is deprecated.  Use variables_order 

gpc_order = "GPC"

; Magic quotes


; Magic quotes for incoming GET/POST/Cookie data.

magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from 
SQL, from exec(), etc.

magic_quotes_runtime = Off    

; Use Sybase-style magic quotes (escape ' with '' instead 
of \').

magic_quotes_sybase = Off

; Automatically add files before or after any PHP 

auto_prepend_file =

auto_append_file =

; As of 4.0b4, PHP always outputs a character encoding by 
default in

; the Content-type: header.  To disable sending of the 
charset, simply

; set it to be empty.


; PHP's built-in default is text/html

default_mimetype = "text/html"

;default_charset = "iso-8859-1"


; Paths and Directories ;


; UNIX: "/path1:/path2"  Windows: "\path1;\path2"

include_path =

; The root of the PHP pages, used only if nonempty.

doc_root = "c:\program files\apache group\apache\htdocs"

; The directory under which PHP opens the script using 
/~usernamem used only

; if nonempty.

user_dir =

; Directory in which the loadable extensions (modules) 

extension_dir = ./

; Whether or not to enable the dl() function.  The dl() 
function does NOT work

; properly in multithreaded servers, such as IIS or Zeus, 
and is automatically

; disabled on them.

enable_dl = On


; File Uploads ;


; Whether to allow HTTP file uploads.

file_uploads = On

; Temporary directory for HTTP uploaded files (will use 
system default if not

; specified).

;upload_tmp_dir = "C:\Windows\Temp"

; Maximum allowed size for uploaded files.

upload_max_filesize = 2M


; Fopen wrappers ;


; Whether to allow the treatment of URLs (like http:// or 
ftp://) as files.

allow_url_fopen = On


; Dynamic Extensions ;



; If you wish to have an extension loaded automaticly, use 
the following

; syntax:


;   extension=modulename.extension


; For example, on Windows:


;   extension=msql.dll


; ... or under UNIX:




; Note that it should be the name of the module only; no 
directory information 

; needs to go here.  Specify the location of the extension 
with the

; extension_dir directive above.

;Windows Extensions

;Note that MySQL and ODBC support is now built in, so no 
dll is needed for it.










































; Module Settings ;



; Whether or not to define the various syslog variables 
(e.g. $LOG_PID,

; $LOG_CRON, etc.).  Turning it off is a good idea 
performance-wise.  In

; runtime, you can define these variables by calling 

define_syslog_variables  = Off

[mail function]

; For Win32 only.

SMTP = localhost

; For Win32 only.

sendmail_from =

; For Unix only.  You may supply arguments as well 
(default: 'sendmail -t -i').

;sendmail_path =


; These configuration directives are used by the example 
logging mechanism.

; See examples/README.logging for more explanation.

;logging.method = db

; = /path/to/log/directory


;java.class.path = .\php_java.jar

;java.home = c:\jdk

;java.library = c:\jdk\jre\bin\hotspot\jvm.dll 

;java.library.path = .\


sql.safe_mode = Off


;odbc.default_db    =  Not yet implemented

;odbc.default_user  =  Not yet implemented

;odbc.default_pw    =  Not yet implemented

; Allow or prevent persistent links.

odbc.allow_persistent = On

; Check that a connection is still valid before reuse.

odbc.check_persistent = On

; Maximum number of persistent links.  -1 means no limit.

odbc.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  
-1 means no limit.

odbc.max_links = -1  

; Handling of LONG fields.  Returns number of bytes to 
variables.  0 means

; passthru.

odbc.defaultlrl = 4096  

; Handling of binary data.  0 means passthru, 1 return as 
is, 2 convert to char.

; See the documentation on odbc_binmode and 
odbc_longreadlen for an explanation

; of uodbc.defaultlrl and uodbc.defaultbinmode

odbc.defaultbinmode = 1  


; Allow or prevent persistent links.

mysql.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

mysql.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  
-1 means no limit.

mysql.max_links = -1

; Default port number for mysql_connect().  If unset, 
mysql_connect() will use

; the $MYSQL_TCP_PORT or the mysql-tcp entry in 
/etc/services or the

; compile-time value defined MYSQL_PORT (in that order).  
Win32 will only look


mysql.default_port =

; Default socket name for local MySQL connects.  If empty, 
uses the built-in

; MySQL defaults.

mysql.default_socket =

; Default host for mysql_connect() (doesn't apply in safe 

mysql.default_host =

; Default user for mysql_connect() (doesn't apply in safe 

mysql.default_user =

; Default password for mysql_connect() (doesn't apply in 
safe mode).

; Note that this is generally a *bad* idea to store 
passwords in this file.

; *Any* user with PHP access can run 'echo 

; and reveal this password!  And of course, any users with 
read access to this

; file will be able to reveal the password as well.

mysql.default_password =


; Allow or prevent persistent links.

msql.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

msql.max_persistent = -1

; Maximum number of links (persistent+non persistent).  -1 
means no limit.

msql.max_links = -1


; Allow or prevent persistent links.

pgsql.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

pgsql.max_persistent = -1

; Maximum number of links (persistent+non persistent).  -1 
means no limit.

pgsql.max_links = -1


; Allow or prevent persistent links.

sybase.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

sybase.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  
-1 means no limit.

sybase.max_links = -1

;sybase.interface_file = "/usr/sybase/interfaces"

; Minimum error severity to display.

sybase.min_error_severity = 10

; Minimum message severity to display.

sybase.min_message_severity = 10

; Compatability mode with old versions of PHP 3.0.

; If on, this will cause PHP to automatically assign types 
to results according

; to their Sybase type, instead of treating them all as 
strings.  This

; compatability mode will probably not stay around 
forever, so try applying

; whatever necessary changes to your code, and turn it 

sybase.compatability_mode = Off


; Allow or prevent persistent links.

sybct.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

sybct.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  
-1 means no limit.

sybct.max_links = -1

; Minimum server message severity to display.

sybct.min_server_severity = 10

; Minimum client message severity to display.

sybct.min_client_severity = 10


; Number of decimal digits for all bcmath functions.

bcmath.scale = 0


;browscap = extra/browscap.ini


; Default host for ifx_connect() (doesn't apply in safe 

ifx.default_host =

; Default user for ifx_connect() (doesn't apply in safe 

ifx.default_user =

; Default password for ifx_connect() (doesn't apply in 
safe mode).

ifx.default_password =

; Allow or prevent persistent links.

ifx.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

ifx.max_persistent = -1

; Maximum number of links (persistent + non-persistent).  
-1 means no limit.

ifx.max_links = -1

; If on, select statements return the contents of a text 
blob instead of its id.

ifx.textasvarchar = 0

; If on, select statements return the contents of a byte 
blob instead of its id.

ifx.byteasvarchar = 0

; Trailing blanks are stripped from fixed-length char 
columns.  May help the

; life of Informix SE users.

ifx.charasvarchar = 0

; If on, the contents of text and byte blobs are dumped to 
a file instead of

; keeping them in memory.

ifx.blobinfile = 0

; NULL's are returned as empty strings, unless this is set 
to 1.  In that case,

; NULL's are returned as string 'NULL'.

ifx.nullformat = 0


; Handler used to store/retrieve data.

session.save_handler = files

; Argument passed to save_handler.  In the case of files, 
this is the path

; where data files are stored.

session.save_path = /tmp

; Whether to use cookies.

session.use_cookies = 1

; Name of the session (used as cookie name). = PHPSESSID

; Initialize session on request startup.

session.auto_start = 0

; Lifetime in seconds of cookie or, if 0, until browser is 

session.cookie_lifetime = 0

; The path for which the cookie is valid.

session.cookie_path = /

; The domain for which the cookie is valid.

session.cookie_domain =

; Handler used to serialize data.  php is the standard 
serializer of PHP.

session.serialize_handler = php

; Percentual probability that the 'garbage collection' 
process is started

; on every session initialization.

session.gc_probability = 1

; After this number of seconds, stored data will be seen 
as 'garbage' and

; cleaned up by the garbage collection process.

session.gc_maxlifetime = 1440

; Check HTTP Referer to invalidate externally stored URLs 
containing ids.

session.referer_check =

; How many bytes to read from the file.

session.entropy_length = 0

; Specified here to create the session id.

session.entropy_file =

;session.entropy_length = 16

;session.entropy_file = /dev/urandom

; Set to {nocache,private,public} to determine HTTP 
caching aspects.

session.cache_limiter = nocache

; Document expires after n minutes.

session.cache_expire = 180

; use transient sid support if enabled by compiling with 

session.use_trans_sid = 1

url_rewriter.tags = 


; Allow or prevent persistent links.

mssql.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

mssql.max_persistent = -1

; Maximum number of links (persistent+non persistent).  -1 
means no limit.

mssql.max_links = -1

; Minimum error severity to display.

mssql.min_error_severity = 10

; Minimum message severity to display.

mssql.min_message_severity = 10

; Compatability mode with old versions of PHP 3.0.

mssql.compatability_mode = Off

; Valid range 0 - 2147483647.  Default = 4096.

;mssql.textlimit = 4096

; Valid range 0 - 2147483647.  Default = 4096.

;mssql.textsize = 4096

; Limits the number of records in each bach.  0 = all 
records in one batch.

;mssql.batchsize = 0


; Assert(expr); active by default.

; = On

; Issue a PHP warning for each failed assertion.

;assert.warning = On

; Don't bail out by default.

;assert.bail = Off

; User-function to be called if an assertion fails.

;assert.callback = 0

; Eval the expression with current error_reporting().  Set 
to true if you want

; error_reporting(0) around the eval().

;assert.quiet_eval = 0

[Ingres II]

; Allow or prevent persistent links.

ingres.allow_persistent = On

; Maximum number of persistent links.  -1 means no limit.

ingres.max_persistent = -1

; Maximum number of links, including persistents.  -1 
means no limit.

ingres.max_links = -1

; Default database (format: 

ingres.default_database =

; Default user.

ingres.default_user =

; Default password.

ingres.default_password =

[Verisign Payflow Pro]

; Default Signio server.

pfpro.defaulthost = ""

; Default port to connect to.

pfpro.defaultport = 443

; Default timeout in seconds.

pfpro.defaulttimeout = 30

; Default proxy IP address (if required).

;pfpro.proxyaddress =

; Default proxy port.

;pfpro.proxyport =

; Default proxy logon.

;pfpro.proxylogon =

; Default proxy password.

;pfpro.proxypassword =


; Use the system read() function instead of the php_read() 

sockets.use_system_read = On


; path to a file containing GUIDs, IIDs or filenames of 
files with TypeLibs

;com.typelib_file = 

; allow Distributed-COM calls

;com.allow_dcom = true

Done with php.ini file (ignore the hard return marks).

Script that causes error:


if ((!$username) || (!$password)) {
	header("Location: http://localhost/show_login.html");

$db_name = "testDB";
$table_name = "auth_users";

$connection = @mysql_connect("localhost", "sandman", 
	or die("Couldn't connect.");

$db = mysql_select_db($db_name, $connection)
	or die("Couldn't select database.");

$sql = "SELECT * FROM $table_name
	WHERE username = \"$username\" AND password = 

$result = mysql_query($sql) 
        or die ("Can't execute query."); 

$num = mysql_numrows($result); 

if ($num != 0) { 

	$cookie_name = "auth";
	$cookie_value = "ok";
	$cookie_expire = "";
	$cookie_domain = "";
	setcookie($cookie_name, $cookie_value, $cookie_expire, "/" 
, $cookie_domain, 0);

	$display_block = "
	<p><strong>Secret Menu:</strong></p>
	<li><a href=\"secretA.php\">secret page A</a>
	<li><a href=\"secretB.php\">secret page B</a>

} else { 

	header("Location: http://localhost/show_login.html");


<TITLE>Secret Area</TITLE>

<? echo "$display_block"; ?>


End of error script.

Here are the two scripts that co-work with the first:

Script 1:


if ($auth == "ok") {

	$msg = "<P>Welcome to secret page A, authorized 
} else {

	header( "Location: http://localhost/show_login.html");


<TITLE>Secret Page A</TITLE>

<? echo "$msg"; ?>


Script 2:


if ($auth == "ok") {

	$msg = "<P>Welcome to secret page B, authorized 
} else {

	header( "Location: http://localhost/show_login.html");


<TITLE>Secret Page B</TITLE>

<? echo "$msg"; ?>


End of scripts.

I am using Apache version 1.3.2 (or whatever one comes 
right before v2.0beta. I am not using any modules except 
for the newest PHP module.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-06-13 10:59 UTC]
ask support question somewehere else. This is not bug.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 27 00:01:31 2024 UTC