php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28753 adding [] to the querystring often produce error
Submitted: 2004-06-12 11:52 UTC Modified: 2004-07-06 10:25 UTC
From: ppmm at wuxinan dot net Assigned:
Status: Wont fix Package: Arrays related
PHP Version: 4.3.7 OS: All
Private report: No CVE-ID: None
 [2004-06-12 11:52 UTC] ppmm at wuxinan dot net
Description:
------------
Have a look at the following URL, for example:
http://us2.php.net/source.php?url[]=/manual/en/installation.php

I think it's a very classical problem in PHP. $_GET["url"] becomes an array in PHP script. This is a good thing, but the side-effect is that when $_GET["url"] is not expected to be an array, script would often produce an error, the message of which often includes the filesystem path of the PHP file on the server. Surf whatever PHP-based website and try this trick, it would often produce a great error message for hackers.

Sure, webmaster could, however, prevent this kind of error from happening by some simple error checking. However, I mean, in the future release of PHP, is there any way we can do things better? Or somehow we need to educate webmaster about this (possibly security-related) issue.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-12 12:19 UTC] derick@php.net
This is up to the programmers, not to us to fix.
 [2004-07-06 10:25 UTC] ppmm at wuxinan dot net
true. But might be useful if we can turn off this feature via php.ini
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 04:01:28 2024 UTC