php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18088 $_GET variables are improper set when POST form submittion follows GET method
Submitted: 2002-07-01 09:07 UTC Modified: 2002-07-01 09:52 UTC
From: gryaznov at guta dot ru Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.2.1 OS: Win2K (at least)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gryaznov at guta dot ru
New email:
PHP Version: OS:

 

 [2002-07-01 09:07 UTC] gryaznov at guta dot ru
Here is the test (file test.php):

<HTML>
<BODY>
<FORM NAME=test.php METHOD=GET>
<INPUT TYPE=HIDDEN NAME=start value=1>
<INPUT TYPE=SUBMIT VALUE=SET>
</FORM>
<FORM NAME=test.php METHOD=POST>
<INPUT TYPE=SUBMIT VALUE=NOTSET>
</FORM>
<BR>
start value is: <?php echo $start ?><BR>
</BODY>
</HTML>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-01 09:32 UTC] sniper@php.net
This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET
array. 

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off


 [2002-07-01 09:52 UTC] hholzgra@php.net
guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...
 [2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com
In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!

Thus:

<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm
 [2004-06-04 16:51 UTC] papercrane at reversefold dot com
Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 04:01:27 2024 UTC