PHP :: Bug #28753 :: adding [] to the querystring often produce error

Bug #28753	adding [] to the querystring often produce error
Submitted:	2004-06-12 11:52 UTC	Modified:	2004-07-06 10:25 UTC
From:	ppmm at wuxinan dot net	Assigned:
Status:	Wont fix	Package:	Arrays related
PHP Version:	4.3.7	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

[2004-06-12 11:52 UTC] ppmm at wuxinan dot net

Description:
------------
Have a look at the following URL, for example:
http://us2.php.net/source.php?url[]=/manual/en/installation.php

I think it's a very classical problem in PHP. $_GET["url"] becomes an array in PHP script. This is a good thing, but the side-effect is that when $_GET["url"] is not expected to be an array, script would often produce an error, the message of which often includes the filesystem path of the PHP file on the server. Surf whatever PHP-based website and try this trick, it would often produce a great error message for hackers.

Sure, webmaster could, however, prevent this kind of error from happening by some simple error checking. However, I mean, in the future release of PHP, is there any way we can do things better? Or somehow we need to educate webmaster about this (possibly security-related) issue.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-12 12:19 UTC] derick@php.net

This is up to the programmers, not to us to fix.

[2004-07-06 10:25 UTC] ppmm at wuxinan dot net

true. But might be useful if we can turn off this feature via php.ini

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 12:01:31 2024 UTC