php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #51210 request_order prevents _COOKIE populating _REQUEST
Submitted: 2010-03-05 05:07 UTC Modified: 2010-03-18 18:47 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: phplasma at gmail dot com Assigned: kalle (profile)
Status: Closed Package: Documentation problem
PHP Version: 5.3.1 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2010-03-05 05:07 UTC] phplasma at gmail dot com 
Description:
------------
PHP 5.3 introduced a new configuration option named 'request_order'.

# Added "request_order" INI variable to control specifically _REQUEST behavior. (Stas)"
http://www.php.net/ChangeLog-5.php#5.3.0

It's default value within php.ini (and related comments) are:

--
; This directive determines which super global data (G,P,C,E & S) should
; be registered into the super global array REQUEST. If so, it also determines
; the order in which that data is registered. The values for this directive are
; specified in the same manner as the variables_order directive, EXCEPT one.
; Leaving this value empty will cause PHP to use the value set in the
; variables_order directive. It does not mean it will leave the super globals
; array REQUEST empty.
; Default Value: None
; Development Value: "GP"
; Production Value: "GP"
; http://www.php.net/manual/en/ini.core.php#ini.request-order
request_order = "GP"
--

This variable omits 'C' for COOKIES.

Versions prior to PHP 5.3 merged the contents of the _COOKIE array into _REQUEST.

Due to this default configuration change, _REQUEST can no longer be used to access cookie values without modifying the request_order php.ini variable.

This changes how _REQUEST is used in PHP 5.3 by default.

This appears to be an oversight/bug, because the PHP documentation still indicates that _REQUEST can be used to access cookies.

" An associative array that by default contains the contents of _GET, _POST and _COOKIE. "
http://au2.php.net/manual/en/reserved.variables.request.php

Suggested Fix: Update PHP 5.3's default php.ini configuration file to have 'GPC' instead of 'GP' for 'request_order', to restore prior functionality.


Test script:
---------------
http://pastebin.com/MmwkU0Z3

Expected result:
----------------
The line '_REQUEST has the cookie, no bug present.' because the default php.ini config value for request_order should be 'GPC' to include cookies.


Actual result:
--------------
The line '_REQUEST is missing TestCookie, there is a bug.' because the default php.ini config value for request_order currently omits cookies ('GP').

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-05 05:10 UTC] rasmus@php.net
-Status: Open +Status: Analyzed -Package: *Configuration Issues +Package: Documentation problem
 [2010-03-05 05:10 UTC] rasmus@php.net 
No, the documentation needs to be updated.  Having cookies in $_REQUEST can cause 
security problems in some circumstances and we need to get people to stop relying 
on that.  It was very much intentional that the default config does not include 
cookies.
 [2010-03-06 04:13 UTC] philip@php.net 
Just to clarify (in case anyone wonders), the PHP behavior for $_REQUEST does 
contain cookies. However, both distributed php.ini files differ as they set the 
value to GP (as quoted in this report) as opposed to NULL (which triggers 
variables_order to be used (which contains a C)).
 [2010-03-16 13:13 UTC] jani@php.net
-Type: Bug +Type: Documentation Problem
 [2010-03-18 18:47 UTC] kalle@php.net 
Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=296353
Log: Fixed bug #51210 (request_order prevents _COOKIE populating _REQUEST)
 [2010-03-18 18:47 UTC] kalle@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: kalle
 [2010-03-18 18:47 UTC] kalle@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 [2020-02-07 06:09 UTC] phpdocbot@php.net 
Automatic comment on behalf of kalle
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=adc48783d843e379aa88629d7b5a3f968c328c52
Log: Fixed bug #51210 (request_order prevents _COOKIE populating _REQUEST)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 00:01:32 2024 UTC