php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #23454 Combining GET and POST array values is broken
Submitted: 2003-05-02 14:35 UTC Modified: 2003-05-13 17:09 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: oregon at pobox dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.3.2RC3-dev OS: ANY
Private report: No CVE-ID:
 [2003-05-02 14:35 UTC] oregon at pobox dot com
When both GET and POST variables are sent at the same time to the same array, the GET variables are not getting set correctly (with register_globals=on and track_vars=on).

Example:

<form action="bug?person[age]=12" method=post>
<input type=text size=32 name=person[sname]
</form>

With register_globals=on and track_vars=on, the script should get both $person['age'] and $person['sname'], and this worked properly in earlier versions of PHP (at least up to 4.2.3).  But as of 4.3.1, the POST variable is getting set but the GET variable is lost.  This is causing properly written scripts to break under new versions of PHP.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-05-02 17:45 UTC] michael dot mauch at gmx dot de
Complete script:

<form action="bug23454.php?person[age]=27" method=post>
<input type=text size=32 name="person[sname]">
<input type=submit>
</form>
<pre>
<?php
print "_REQUEST: "; print_r($_REQUEST);
print "_GET: "; print_r($_GET);
print "_POST: "; print_r($_POST);
print "person: "; print_r($person);
?>
</pre>


In 4.2.3 with register_globals on, I get both the POST and GET data 
in $_REQUEST, $person, $_GET (wrong), $_POST (wrong).

In 4.2.3 with register_globals off, I get the POST data  
in $_REQUEST and $_POST, the GET data only in $_GET (not in $_REQUEST).

In php4-STABLE-200305011130 with register_globals on, I see the POST data in $_REQUEST, $_POST and $person, but the GET data is only in  $_GET (not in $_REQUEST and not in $person).

In php4-STABLE-200305011130 with register_globals off, it's the same as with 4.2.3 - i.e. the GET data is missing from $_REQUEST.

To me, this does indeed look like a bug.

I also checked with non-array variables: fortunately they do work 
like advertized.
 [2003-05-02 18:30 UTC] michael dot mauch at gmx dot de
It's not only with about register_globals=on, the GET data are also missing from $_REQUEST if register_globals=off.
 [2003-05-02 18:40 UTC] philip@php.net
This might be related to closed bug #20796:

http://bugs.php.net/20796

Marking this one (#23454) critical as it makes autoglobals unreliable and register_globals should work too.  btw, track_vars doesn't exist anymore, it's always on.
 [2003-05-05 17:43 UTC] sniper@php.net
Here's a bit more extended version of the test script,
including cookies too:

<?php setcookie("person[fname]", "foobar"); ?>                                                        
<form action="bug23454.php?person[age]=27" method=post>                              
<input type=text size=32 name="person[sname]">         
<input type=submit>
</form>
<pre>
<?php
echo phpversion();
echo '<br>register_globals = ', ini_get('register_globals'), '<br>';
print "_GET: "; print_r($_GET);
print "_POST: "; print_r($_POST);
print "_COOKIE: "; print_r($_COOKIE);
print "_REQUEST: "; print_r($_REQUEST);  
print "person: "; print_r($person);
?>
</pre>

 [2003-05-05 17:49 UTC] sniper@php.net
Expected results:

_GET: Array
(
    [person] => Array
        (
            [age] => 27
        )

)
_POST: Array
(
    [person] => Array
        (
            [sname] => bar
        )

)
_COOKIE: Array
(
    [person] => Array
        (
            [fname] => foo
        )

)
_REQUEST: Array
(
    [person] => Array
        (
            [age] => 27
            [fname] => foo
            [sname] => bar
        )

)
person: Array
(
    [age] => 27
    [fname] => foo
    [sname] => bar
)

(the last two are broken since 4.3.0 and only contain 
"fname" entry)
 [2003-05-05 17:53 UTC] rasmus@php.net
You should also mention that before 4.3.0 it was broken the other way.  The $_GET, $_POST and $_COOKIE arrays contained all 3 elements.  Right now the question is which way we want to break it.  Do we want to pollute GPC arrays with data from the other methods (potentially overwriting data) or do we want to break BC and have it slightly more correct but still have broken $_REQUEST and $GLOBALS.  Ideally we want it to be right for both, but I don't really see how to do that without breaking the reference ties between the autoglobals.
 [2003-05-05 18:34 UTC] oregon at pobox dot com
If there's no way to have it both ways, I would recommend that when setting register_globals=on, $_REQUEST and $GLOBALS should have the correct combined result, even if that means $_GET, $_POST and $_COOKIE also have all 3.  But if register_globals=off, then let it should continue to work as it does in 4.3 with the variables separated.  That would keep both register_globals=off and register_globals=on scripts working correctly.
 [2003-05-13 17:09 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC