PHP :: Bug #18088 :: $_GET variables are improper set when POST form submittion follows GET method

Bug #18088	$_GET variables are improper set when POST form submittion follows GET method
Submitted:	2002-07-01 09:07 UTC	Modified:	2002-07-01 09:52 UTC
From:	gryaznov at guta dot ru	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.2.1	OS:	Win2K (at least)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 4 - 1 = ?
Subscribe to this entry?

[2002-07-01 09:07 UTC] gryaznov at guta dot ru

Here is the test (file test.php):

<HTML>
<BODY>
<FORM NAME=test.php METHOD=GET>
<INPUT TYPE=HIDDEN NAME=start value=1>
<INPUT TYPE=SUBMIT VALUE=SET>
</FORM>
<FORM NAME=test.php METHOD=POST>
<INPUT TYPE=SUBMIT VALUE=NOTSET>
</FORM>
<BR>
start value is: <?php echo $start ?><BR>
</BODY>
</HTML>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-07-01 09:32 UTC] sniper@php.net

This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET
array. 

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off

[2002-07-01 09:52 UTC] hholzgra@php.net

guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...

[2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com

In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!

Thus:

<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm

[2004-06-04 16:51 UTC] papercrane at reversefold dot com

Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 30 08:01:30 2024 UTC