|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18088 $_GET variables are improper set when POST form submittion follows GET method
Submitted: 2002-07-01 09:07 UTC Modified: 2002-07-01 09:52 UTC
From: gryaznov at guta dot ru Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.2.1 OS: Win2K (at least)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: gryaznov at guta dot ru
New email:
PHP Version: OS:


 [2002-07-01 09:07 UTC] gryaznov at guta dot ru
Here is the test (file test.php):

<INPUT TYPE=HIDDEN NAME=start value=1>
start value is: <?php echo $start ?><BR>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-01 09:32 UTC]
This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off

 [2002-07-01 09:52 UTC]
guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...
 [2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com
In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!


<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm
 [2004-06-04 16:51 UTC] papercrane at reversefold dot com
Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun May 26 09:01:32 2024 UTC