php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #40224 Could PHP leave superglobal array indices alone?
Submitted: 2007-01-24 20:09 UTC Modified: 2008-01-02 15:02 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: joem at tempomg dot com Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: 5.2.0 OS: redhat linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: joem at tempomg dot com
New email:
PHP Version: OS:

 

 [2007-01-24 20:09 UTC] joem at tempomg dot com 
Description:
------------
I think it would make more sense if PHP only replaced '.' and ' ' with '_' when register_globals is turned on, and only for the variables that are registered in the global scope, leaving the superglobals' index names as they are.

I understand that variable names can't have '.' or ' ' in them, however it seems that most people use the $_POST['variablename'] method of accessing external variables, and in this case, the spaces and dots make no difference.

I could find practically no reference to this behavior in the manual, other than a couple notes I submitted.  At the very least, the fact that these characters are replaced should be made more obvious in the manual under "Predefined Variables" at http://us2.php.net/manual/en/language.variables.predefined.php and http://us2.php.net/manual/en/reserved.variables.php

Reproduce code:
---------------
<form method="post">
  <input name="title for page3.php" type="text">
  <input type="submit">
</form>

Title submitted:
<?php
  if (count($_POST) > 0)
    echo $_POST['title for page3.php'];
?>

Expected result:
----------------
I expect to see the title I submitted print out.

Actual result:
--------------
The POST key 'title for page3.php' is changed to 'title_for_page3_php', and nothing prints out.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-12-31 23:15 UTC] michael at chunkycow dot com dot au 
G'day

Why dont you just call it 'title' then:

<?
if(!empty($_POST['title']))
  echo $_POST['title'];
?>

you can even make them an array eg.

<form method="post">
  <input name="title[]" type="text">
  <input type="submit">
</form>

<?
if( (!empty($_POST['title'])) && is_array($_POST['title']))
{
  foreach($_POST['title'] AS $title)
    echo $title,'<br>';
}
?>

You should be escaping the output for real life code but I'm sure you knew that ;)
 [2008-01-01 16:24 UTC] johannes@php.net 
This can't be fixed without breaking application relying on that feature.
 [2008-01-02 15:02 UTC] joem at tempomg dot com 
If, aside from backward compatibility, there are no disadvantages to fixing this bug, wouldn't it be easy enough to have both versions of the variable in the superglobal array to make the fix backward compatible?

Also, in response to Michael: right, the sample code is not real life code obviously :)  The reason I am using variable names with spaces and periods is that the variable names are autogenerated based on page titles and filenames.  I figured out a way around it easily enough - after I figured out what was happening.  But it took me a while to figure it out with the documentation not mentioning it!

I just think if there's no reason not to, it would sure make things easier to keep the indices unaltered whenever possible.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 18 08:01:33 2024 UTC