|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #45272 no ini setting to inhibit conversion of dots to underscores in $_REQUEST
Submitted: 2008-06-14 23:01 UTC Modified: 2019-08-12 14:37 UTC
Avg. Score:4.5 ± 0.7
Reproduced:16 of 16 (100.0%)
Same Version:3 (18.8%)
Same OS:11 (68.8%)
From: tavin dot cole at gmail dot com Assigned:
Status: Suspended Package: *Web Server problem
PHP Version: 5.2.6 OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-06-14 23:01 UTC] tavin dot cole at gmail dot com
It's well known that PHP converts dots to underscores for incoming variable names.  This is very frustrating when writing modern PHP code with register_globals off and using $_REQUEST etc. instead.

It's been stated this will not be changed due to BC issues.

Why not introduce an INI setting to inhibit this behavior?

Thanks for your consideration.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-15 17:52 UTC] tavin dot cole at gmail dot com
the following is a trivial patch for those needing a workaround to this problem.  it only inhibits the munging of dots and doesn't address things like spaces and square brackets.  it also doesn't address introducing an INI setting.

diff -ru php-5.2.6._dist/main/php_variables.c php-5.2.6._mine/main/php_variables.c
--- php-5.2.6._dist/main/php_variables.c        2007-12-31 07:20:15.000000000 +0000
+++ php-5.2.6._mine/main/php_variables.c        2008-06-14 23:34:25.000000000 +0000
@@ -91,7 +91,7 @@
        /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
        for (p = var; *p; p++) {
-               if (*p == ' ' || *p == '.') {
+               if (*p == ' ' /*|| *p == '.'*/) {
                } else if (*p == '[') {
                        is_array = 1;
 [2012-02-26 07:48 UTC]
-Package: Feature/Change Request +Package: *Web Server problem
 [2012-05-14 03:18 UTC] pravdin at vl dot ru
In PHP 5.4 INI the register_globals setting was removed finally. So, this atricle in documentation become not true:

"Dots in incoming variable names

Typically, PHP does not alter the names of variables when they are passed into a script. However, it should be noted that the dot (period, full stop) is not a valid character in a PHP variable name."

Because external variables will never become internal variables, translation dots to underscores become senseless. 

Please, add an INI setting to disable dots to underscores translation!
 [2018-07-18 12:03 UTC] strijbol dot niko at gmail dot com
Has there been any progress on this?
 [2019-08-12 14:21 UTC] sailormax at inbox dot lv
As I understand, requirement of convert dots and spaces to underscores inside $_GET variable and in result of parse_str() was "Using Register Globals" ("because variables in PHP can't have dots and spaces in their names").

Now "Using Register Globals" was removed in php 5.4.0!
But convert dots and spaces still here...

Can you add option in ini-file and argument for parse_str() to do not convert dots and spaces?
 [2019-08-12 14:37 UTC]
-Status: Open +Status: Suspended
 [2019-08-12 14:37 UTC]
INI options sound easy but they can make writing portable code difficult and so are avoided whenever possible.

This subject has come up recently on the internals mailing list as something to reconsider for PHP 8.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 22 11:01:28 2024 UTC