php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18088 $_GET variables are improper set when POST form submittion follows GET method
Submitted: 2002-07-01 09:07 UTC Modified: 2002-07-01 09:52 UTC
From: gryaznov at guta dot ru Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.2.1 OS: Win2K (at least)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
50 + 9 = ?
Subscribe to this entry?

 
 [2002-07-01 09:07 UTC] gryaznov at guta dot ru
Here is the test (file test.php):

<HTML>
<BODY>
<FORM NAME=test.php METHOD=GET>
<INPUT TYPE=HIDDEN NAME=start value=1>
<INPUT TYPE=SUBMIT VALUE=SET>
</FORM>
<FORM NAME=test.php METHOD=POST>
<INPUT TYPE=SUBMIT VALUE=NOTSET>
</FORM>
<BR>
start value is: <?php echo $start ?><BR>
</BODY>
</HTML>

When you click "set" button in browser, $start variable will be 1, when you click "notset" button after clicking "set" $start variable will be 1 also. Note: if register_globals is off you will need to use $_GET["start"] instead of $start, but it works also. (Though the method was POST, $_GET start variable should not be set)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-01 09:32 UTC] sniper@php.net
This is actually a feature rather than bug.

When you load the script first time, the get line 
does not have '?start=1' in it. Now, when you press the
NOTSET button, it won't be set.

But when you press SET button, the url will get '?start=1'
and when you then press NOTSET, it will add it to $_GET
array. 

This is very good reason why you should use $_GET / $_POST 
arrays and set register_globals=off


 [2002-07-01 09:52 UTC] hholzgra@php.net
guess you wanted to assign 'test.php' to the form *action* not *name*?

'cause now, as you do not specify any action,
it defaults to the page GET url, including parameters ...
 [2004-06-04 10:22 UTC] ghoppy66 at hotmail dot com
In other words;

Alot of forms that post to themselves will have action='' for example, which will, as mentioned above, pass the previous Querystring even if the form's method is POST!

Thus:

<form method='post' action='<?=$_SERVER['PHP_SELF']?>'> 

will destroy the previous querystring. Not a bug? mmm
 [2004-06-04 16:51 UTC] papercrane at reversefold dot com
Nevertheless, this is a feature of your browser, not of PHP. The browser chooses to send the GET querystring and PHP should not be choosing whether or not to populate $_GET and not $_POST. If you're worried about this (and you should be), use $_GET and $_POST, not globals. Just turn register_globals off, it's a huge security hole.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri May 24 00:01:31 2024 UTC