|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-06-27 10:57 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 14:01:31 2024 UTC |
Description: ------------ Some HTTP request variable names are modified in a unexpected way. The HTML form may submit data using either get or post methods, retrieving those values using $_GET $_POST $_REQUEST $HTTP_GET_VARS or $HTTP_POST_VARS leads to the same and unpredictable result. This does not happen to the $z check array, that behaves predictably. To trigger this behaviour, the HTTP request variable name (that will become the key of an associative array) must contain at least one dot character (".", ASCII 0x2E). My sample code demonstrates that "x.y" is renamed as "x_y" overwriting the legitimate "x_y" value and leaving the "x.y" key unset. If you delete the "x_y" input tag and resubmit the form, the result will not change. If you restore the "x_y" input tag then delete the "x.y" input tag and then resubmit the form, the result will be as expected. Reproduce code: --------------- <html><title>dot bug</title><body> <form method="get" action=""> <tt>x_y: </tt><input type="text" name="x_y" value="1"><br> <tt>x-y: </tt><input type="text" name="x-y" value="2"><br> <tt>x.y: </tt><input type="text" name="x.y" value="3"><br> <input type="submit"> </form><tt> <?php $z = array ('x_y' => 'x_y [', 'x-y' => 'x-y [', 'x.y' => 'x.y ['); echo ( $z['x_y'] . $_GET['x_y'] . '] [' . isset ($_GET['x_y']) . "]<br>\n" . $z['x-y'] . $_GET['x-y'] . '] [' . isset ($_GET['x-y']) . "]<br>\n" . $z['x.y'] . $_GET['x.y'] . '] [' . isset ($_GET['x.y']) . "]<br>\n" . '<hr>query string: ' . htmlspecialchars ($_SERVER['QUERY_STRING'])); ?> </tt></body></html> Expected result: ---------------- x_y [1] [1] x-y [2] [1] x.y [3] [1] Actual result: -------------- x_y [3] [1] x-y [2] [1] x.y [] []