|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24 PHO allowing the overwriting of environment variables
Submitted: 1998-01-30 13:39 UTC Modified: 1998-01-30 20:54 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: alden at math dot ohio-state dot edu Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Latest CVS OS: Solaris 2.6
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: alden at math dot ohio-state dot edu
New email:
PHP Version: OS:


 [1998-01-30 13:39 UTC] alden at math dot ohio-state dot edu
  According to the php 2.0 doc's (I am using 3.0) PHP isn't
supposed to allow the overwriting of environment variables
by adding "?".  I have the
following file "test.php3" in my doc root:

<?echo "remote_host=$REMOTE_HOST";?>

And then I pointed netscape at:

And it returned:

Am I missing something?

On a similar topic, I need to get at the REMOTE_USER environment
variable without the user being able to change this.  I use
the .htaccess method of authentication, but I need to know
the username of the remote user.  In my old perl scripts I
just checked REMOTE_USER, but PHP seems to allow the user
to overwrite this.

...dave alden


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [1998-01-30 20:54 UTC] zeev
Environment variables will now overwrite any GET/POST/Cookie
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 14:01:29 2024 UTC