php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41821 handling dots in http request variable names
Submitted: 2007-06-27 10:47 UTC Modified: 2007-06-27 10:57 UTC
From: php at niksoggia dot it Assigned:
Status: Not a bug Package: *Web Server problem
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID: None
 [2007-06-27 10:47 UTC] php at niksoggia dot it
Description:
------------
Some HTTP request variable names are modified in a unexpected way.
The HTML form may submit data using either get or post methods, retrieving those values using $_GET $_POST $_REQUEST $HTTP_GET_VARS or $HTTP_POST_VARS leads to the same and unpredictable result.
This does not happen to the $z check array, that behaves predictably.

To trigger this behaviour, the HTTP request variable name (that will become the key of an associative array) must contain at least one dot character (".", ASCII 0x2E).

My sample code demonstrates that "x.y" is renamed as "x_y" overwriting the legitimate "x_y" value and leaving the "x.y" key unset.
If you delete the "x_y" input tag and resubmit the form, the result will not change. If you restore the "x_y" input tag then delete the "x.y" input tag and then resubmit the form, the result will be as expected.

Reproduce code:
---------------
<html><title>dot bug</title><body>
<form method="get" action="">
<tt>x_y: </tt><input type="text" name="x_y" value="1"><br>
<tt>x-y: </tt><input type="text" name="x-y" value="2"><br>
<tt>x.y: </tt><input type="text" name="x.y" value="3"><br>
<input type="submit">
</form><tt>
<?php
$z = array ('x_y' => 'x_y [', 'x-y' => 'x-y [', 'x.y' => 'x.y [');
echo (  $z['x_y'] . $_GET['x_y'] . '] [' . isset ($_GET['x_y']) . "]<br>\n" .
        $z['x-y'] . $_GET['x-y'] . '] [' . isset ($_GET['x-y']) . "]<br>\n" .
        $z['x.y'] . $_GET['x.y'] . '] [' . isset ($_GET['x.y']) . "]<br>\n" .
        '<hr>query string: ' . htmlspecialchars ($_SERVER['QUERY_STRING']));
?>
</tt></body></html>

Expected result:
----------------
x_y [1] [1]
x-y [2] [1]
x.y [3] [1]

Actual result:
--------------
x_y [3] [1]
x-y [2] [1]
x.y [] []

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-27 10:57 UTC] tony2001@php.net
This is expected behaviour, but it's subject to change in PHP6.
The "." symbol is not a legal symbol in PHP variable names, so PHP replaces it with "_" when registering a variable (and adding element to the _POST array).
Even though the variable would be registered only if register_globals in On, the behavior was made consistent to prevent possible confusion.

PHP6 doesn't have register_globals, so there is no need to keep this behavior anymore.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC