PHP :: Request #16195 :: GET/POST-vars does not work according to standards

GET/POST-vars does not work according to standards

Submitted:

2002-03-20 18:43 UTC

Modified:

2002-07-14 15:06 UTC

Votes:	3
Avg. Score:	3.7 ± 1.9
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mail4news at mailme dot dk

Assigned:

Status:

Not a bug

Package:

Feature/Change Request

PHP Version:

4.1.2

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

[2002-03-20 18:43 UTC] mail4news at mailme dot dk

According to (X)HTML standards you are allowed to have more than one variable with the same name in a form. One example of this is a listbox where the user can select multiple items.

The common solution to this is to use "[]" after the name of the variable so that PHP treats it as an array. Ex: <select name="foo[]">

According to the standards, these characters are not allowed in the name. It is unlikely, but not probable, that you may risk incompatibillity problems with some browsers. Even though most browsers accepts it, I think PHP should follow the standards.

One solution:
I haven't seen the source code, so this may be more complicated to fix than I think. When parsing the data from the request there should be a check in the code that checks if it has recieved a variable with the same name. If so, it should change the original variable to an array and add the new variable in that array.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-06-08 10:50 UTC] bigredlinux at yahoo dot com

I think it has become a well adopted standard to use the [] in the names to specify an array or list.  I can't think of a browser or language that does not support this.

[2002-07-09 11:34 UTC] markonen@php.net

The HTML 4 and XHTML standards in fact do support the [] 
characters in input field names.

See:

http://www.w3.org/TR/html401/interact/forms.html#h-17.4 for 
HTML 4.01

and

http://www.w3.org/TR/xhtml-modularization/
abstract_modules.html#s_extfor for XHTML 1.1

[2002-07-14 13:04 UTC] mail4news at mailme dot dk

That's not correct for id and name attributes. Those attributes are specified as CDATA, but in the CDATA description, you'll see that it spesifically imposes restraints on the id and name attributes.

From the spesifications:
http://www.w3.org/TR/html401/types.html#type-cdata

"For some HTML 4 attributes with CDATA attribute values, the specification imposes further constraints on the set of legal values for the attribute that may not be expressed by the DTD"

Further down it says:

"ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods (".")"

Since [] aren't part of the allowed characters, we can't count on the browser to send these characters correctly. Even if most browsers (if not all), supports this, PHP forces people to break standards.

[2002-07-14 13:07 UTC] rasmus@php.net

Tough - this won't change

[2002-07-14 13:09 UTC] mail4news at mailme dot dk

Perhaps two new arrays should be included, like _GETA and _POSTA that will return an array instead of a single value?

[2002-07-14 13:11 UTC] rasmus@php.net

No, until such a time that a browser exists where [] doesn't work, I see no reason to change anything.  Standards mean very little on the web.  Most of the web is completely non-standard as it is.

[2002-07-14 13:14 UTC] derick@php.net

Actually, you don't read the standards very well. I have to admit reading it wrong too, but the standard says: "ID and NAME **tokens**" and the NAME attribute to select or input is an ATTRIBUTE, not a TOKEN.
Now get over it, it's conforming to the standards perfectly.

Derick

[2002-07-14 14:49 UTC] markonen@php.net

No, mail4news@mailme.dk seems to be reading the spec 
correctly. The value of a NAME attribute is a NAME token. 
So, there is currently no standards-compliant way to 
retrieve the values of a SELECT MULTIPLE input of a POST 
form in PHP.

While Rasmus is correct in saying that standards matter 
very little on the web today, I refuse to accept that *
blocking* people from using standards-compliant markup is 
the right way to go for PHP.

This data needs to be available *somehow*. Magic arrays are 
not the right way to go, but one should be able to 
replicate the [] behaviour in a standards-compatible token.

[2002-07-14 15:06 UTC] markonen@php.net

Okie, I'm stoopid and need to learn to read the w3c 
ciphertext

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 21:01:29 2024 UTC