php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49184 INPUT_SERVER returns NULL for set variables (CLI)
Submitted: 2009-08-06 21:48 UTC Modified: 2009-08-07 10:20 UTC
Votes:55
Avg. Score:4.3 ± 0.9
Reproduced:53 of 54 (98.1%)
Same Version:38 (71.7%)
Same OS:32 (60.4%)
From: m dot kurzyna at crystalpoint dot pl Assigned:
Status: Verified Package: Filter related
PHP Version: 5.*, 6 (2009-08-07) OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-08-06 21:48 UTC] m dot kurzyna at crystalpoint dot pl
Description:
------------
This is very similar to #44779, however my report regards variables set as environment variables when running CLI.

A variable is visible in $_SERVER but INPUT_SERVER returns NULL. Setting via SetEnv in apache and when running as mod_php is fine.

Reproduce code:
---------------
<?php

var_dump(
        filter_input(INPUT_SERVER,'ENV_NAME',FILTER_SANITIZE_STRING),
        $_SERVER['ENV_NAME']
);

?>



Expected result:
----------------
$ ENV_NAME=var php /tmp/t.php
string(3) "var"
string(3) "var"


Actual result:
--------------
$ ENV_NAME=var php /tmp/t.php
NULL
string(3) "var"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-07 10:20 UTC] jani@php.net
This is quite strange, propably caused by bad design of the filter extension.
 [2011-02-01 23:19 UTC] mjk at emmjaykay dot org
Looking at the filter_input() call in filter.c:747 on 5.3.5, it looks like the call to zend_hash_find() fails.

(gdb) call zend_hash_display(input->value->ht)
SCRIPT_FILENAME <==> 0x537C323A
SCRIPT_NAME <==> 0x9B9D269A
PATH_TRANSLATED <==> 0x3A4E2C63
PHP_SELF <==> 0xBD55DE96
DOCUMENT_ROOT <==> 0x1DB85847
DOCUMENT_ROOT <==> 0x1DB85847
PATH_TRANSLATED <==> 0x3A4E2C63
SCRIPT_FILENAME <==> 0x537C323A
SCRIPT_NAME <==> 0x9B9D269A
PHP_SELF <==> 0xBD55DE96
(gdb) 

So I guess ENV_NAME never gets put in there at all?
 [2014-02-05 12:55 UTC] jpswade at gmail dot com
It seems this bug still appears in PHP v5.4.24 and has done for over 6 years:

* http://www.php.net/manual/en/function.filter-input.php#77307

The general advice is "do not access superglobal $_server array directly" and the solution is to use the filter_input() function instead.

* http://stackoverflow.com/questions/19767894/warning-do-not-access-superglobal-post-array-directly-on-netbeans-7-4-for-ph

However, this is a show stopper as you can't fully follow this through because all of the INPUT_SERVER variables return NULL.

Is PHP serious about not accessing superglobals directly or is this incorrect advice?
 [2014-10-28 14:40 UTC] cb at lathspell dot de
If you don't care about fixing this bugs for *years*, please be at least so kind to document that it is "not intended" to be used from CLI.
 [2017-01-23 07:44 UTC] dclarke at blastwave dot org
Still a valid bug in 5.6.30 :

bash-4.3$ ./php-5.6.30_SunOS5.10_sparcv9.001/sapi/cli/php --version
PHP 5.6.30 (cli) (built: Jan 23 2017 01:16:31) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
bash-4.3$  cat  foo_var_dump.php 
<?php

var_dump(
          filter_input(INPUT_SERVER,'SOME_ENV_NAME',
                       FILTER_SANITIZE_STRING),
                       $_SERVER['SOME_ENV_NAME'] );

?>
bash-4.3$ SOME_ENV_NAME=this_stuff ./php-5.6.30_SunOS5.10_sparcv9.001/sapi/cli/php foo_var_dump.php 
NULL
string(10) "this_stuff"

It may be worth running a trace through the calls and I did build 
with full debug sysmbols so this is possible. At least on Solaris.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC