go to bug id or search bugs for
it is possible to overwrite the $GLOBALS array from GET/POST/COOKIE vars.
For example, try the script below:
(will print the full GLOBALS array)
(will print a GLOBALS array with just one entry)
_GET, _POST, etc superglobals are no vulnerable.
PHP5 does not exhibit this behaviour.
<a href="script.php?GLOBALS[php]=error">kill GLOBALS</a>
print_r( $GLOBALS );
Full display of GLOBALS array
GLOBALS array with just one entry
Add a Patch
Add a Pull Request
Here are some patches I wrote to fix this:
For PHP_4_3 branch:
For HEAD branch:
note: In HEAD you _can_ overwrite GLOBALS with this:
but NOT with this:
Here's better patch, by Ilia:
This bug has been fixed in CVS.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.