|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19527 http get variable not translated to php variables
Submitted: 2002-09-20 11:46 UTC Modified: 2002-09-20 12:27 UTC
From: mike dot t dot gallant at cummins dot com Assigned:
Status: Not a bug Package: *Web Server problem
PHP Version: 4.2.3 OS: Red Hat 7.2 linux
Private report: No CVE-ID: None
 [2002-09-20 11:46 UTC] mike dot t dot gallant at cummins dot com
The variables from a http get do not get translated in to internal php variables.  I was trying to install a php program that relied on this feature.  I created a small program to simulate it.

Redhat7.2 Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ss
l/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.2.3 mod_perl/1.24_01

4.2.3 was build with apache & mysql (per web site)

->http url







http_get menuAction=then

http_get test3=now


<html><head><title>PHP Test</title></head>
echo phpversion()."<p>";
echo $menuAction;
echo $_GET['menuAction'];
foreach ($_GET as $get_array => $get_vars) {
  print("http_get $get_array=$get_vars<p>");
foreach ($_POST as $post_array => $post_vars) {
  print("http_post $post_array=$post_vars<p>");

->php.ini (partial)
;open_basedir =

; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes.  In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here.  By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
; Note:  If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_

; This directive contains a comma-delimited list of environment variables that
; the end user won't be able to change using putenv().  These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names.  This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =

; Colors for Syntax Highlighting mode.  Anything that's acceptable in
; <font color="??????"> would work.
highlight.string  = #CC0000
highlight.comment = #FF9900
highlight.keyword = #006600      = #FFFFFF
highlight.default = #0000CC
highlight.html    = #000000

; Misc
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On

; Resource Limits ;

max_execution_time = 30     ; Maximum execution time of each script, in seconds
memory_limit = 8M      ; Maximum amount of memory a script may consume (8MB)

; Error handling and logging ;

; error_reporting is a bit-field.  Or each number up to get desired error
; reporting level
; E_ALL             - All errors and warnings
; E_ERROR           - fatal run-time errors
; E_WARNING         - run-time warnings (non-fatal errors)
; E_PARSE           - compile-time parse errors
; E_NOTICE          - run-time notices (these are warnings which often result
;                     from a bug in your code, but it's possible that it was
;                     intentional (e.g., using an uninitialized variable and
;                     relying on the fact it's automatically initialized to an
;                     empty string)
; E_CORE_ERROR      - fatal errors that occur during PHP's initial startup
; E_CORE_WARNING    - warnings (non-fatal errors) that occur during PHP's
;                     initial startup
; E_COMPILE_ERROR   - fatal compile-time errors
; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
; E_USER_ERROR      - user-generated error message
; E_USER_WARNING    - user-generated warning message
; E_USER_NOTICE     - user-generated notice message
; Examples:
;   - Show all errors, except for notices
;error_reporting = E_ALL & ~E_NOTICE
;   - Show only errors
;   - Show all errors except for notices
error_reporting  =  E_ALL & ~E_NOTICE

; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).  Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = On

; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed.  It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off

; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = Off

; Store the last error/warning message in $php_errormsg (boolean).
track_errors = Off

; Disable the inclusion of HTML tags in error messages.
;html_errors = Off

; String to output before an error message.
;error_prepend_string = "<font color=ff0000>"

; String to output after an error message.
;error_append_string = "</font>"

; Log errors to specified file.
;error_log = filename

; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog

; Data Handling ;
; Note - track_vars is ALWAYS enabled as of PHP 4.0.3

; The separator used in PHP generated URLs to separate arguments.
; Default is "&".
;arg_separator.output = "&amp;"

; List of separator(s) used by PHP to parse input URLs into variables.
; Default is "&".
; NOTE: Every character in this directive is considered as separator!
;arg_separator.input = ";&"

; This directive describes the order in which PHP registers GET, POST, Cookie,
; Environment and Built-in variables (G, P, C, E & S respectively, often
; referred to as EGPCS or GPC).  Registration is done from left to right, newer
; values override older values.
variables_order = "EGPCS"

; Whether or not to register the EGPCS variables as global variables.  You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.  This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; register_globals = Off
register_globals = On

; This directive tells PHP whether to declare the argv&argc variables (that
; would contain the GET information).  If you don't use these variables, you
; should turn it off for increased performance.
register_argc_argv = On

; Maximum size of POST data that PHP will accept.
post_max_size = 8M

; This directive is deprecated.  Use variables_order instead.
gpc_order = "GPC"

; Magic quotes

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-20 11:48 UTC]
This is normally caused by register_globals being off. Are you sure this is the php.ini file that PHP uses?
(Check the location in the output of phpinfo(); , it's at the top somewhere).

 [2002-09-20 12:15 UTC] mike dot t dot gallant at cummins dot com
Thanks very much for the quick reply.  I use the phpinfo() to check the location and setting and found it would have helped if I had changed php.ini-dist to php.ini in /usr/local/lib.  Thanks for the tool to assist me with diagnosing issues prior to submitting them.
 [2002-09-20 12:27 UTC]
Setting the status to "bogus", as this was not a real bug after all.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 17 07:01:25 2021 UTC