php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18088 $_GET variables are improper set when POST form submittion follows GET method
Submitted: 2002-07-01 09:07 UTC Modified: 2002-07-01 09:52 UTC
From: gryaznov at guta dot ru Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.2.1 OS: Win2K (at least)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: gryaznov at guta dot ru
New email:
PHP Version: OS:

 

 [2002-07-01 09:07 UTC] gryaznov at guta dot ru
Here is the test (file test.php):

<HTML>
<BODY>
<FORM NAME=test.php METHOD=GET>
<INPUT TYPE=HIDDEN NAME=start value=1>
<INPUT TYPE=SUBMIT VALUE=SET>
</FORM>
<FORM NAME=test.php METHOD=POST>
<INPUT TYPE=SUBMIT VALUE=NOTSET>
</FORM>
<BR>
start value is: <?php echo $start ?><BR>
</BODY>
</HTML>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-01 09:32 UTC] sniper@php.net
This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET
array. 

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off


 [2002-07-01 09:52 UTC] hholzgra@php.net
guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...
 [2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com
In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!

Thus:

<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm
 [2004-06-04 16:51 UTC] papercrane at reversefold dot com
Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Apr 18 11:01:28 2024 UTC