php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53564 Long get requests fails
Submitted: 2010-12-17 14:25 UTC Modified: 2010-12-17 16:04 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: chris at bjelleklang dot org Assigned:
Status: Not a bug Package: Variables related
PHP Version: 5.3.4 OS: Linux; Ubuntu 10.04, krnl 2.6.32
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: chris at bjelleklang dot org
New email:
PHP Version: OS:

 

 [2010-12-17 14:25 UTC] chris at bjelleklang dot org 
Description:
------------
I'm doing an integration against BBS, one of the bigger (if not biggest) online payment systems in Norway. After validating a credit card on an external site, BBS sends the user back to my site in a GET request, along with a long hash (around 850 characters), for a total URL-length of 860 characters. 

For some reason, I can't get access to the GET variable, unless I trim the length of the parameter down to 512 characters. 513 fails. Using two parameters of 512 chars each works fine, two parameters where the first is >512 chars fails on both, if the last one is >512 the first works fine. 

If I print_r the $_SERVER variable, the querystring contains the full parameter even though $_GET is empty. Access logs always contain the correct request, and when GET is empty, an error of type undefined index is triggered as expected. 

HTTP doesn't specify any limits on GET-requests, major browsers support from 2000 characters and upwards (including MS Internet Explorer), and the (unchanged) default in Apache is around 8000 characters. If Apache was the problem, a http-413-error would have been triggered indicating a too long request. 

I'm currently using php 5.3.2, along with Apache 2.2.14, and also tested php 5.3.3/Apache 2.2.16. 
This works fine on another server we are running using php 5.2.4 and apache 2.2.8. 

If you need more information, or want me to do more tests, I'm available on e-mail: chris@bjelleklang.org and IRC: bjelleklang, mostly on Freenode.net.

I've put an example script with the source code below at http://pluto.bjelleklang.org/index.php?p=&p2=. Just add values to the two parameters. This server is running PHP 5.3.3

regards, 
Chris

Test script:
---------------
<?php 

$d = $_GET['p'];
$d2 = $_GET['p2'];

echo "Length: " . strlen($d) . '<br>';
echo "Length: " . strlen($d2) . '<br>';
print_r($GLOBALS);
print_r( $_SERVER);
print_r($_GET);
print_r($_SESSION);
print_r($_REQUEST);
print_r($_ENV);
?>


Expected result:
----------------
I'd expect to see the actual length of the GET parameters, as well as entries in the various superglobals. 

Actual result:
--------------
Nothing in the superglobals, GET parameters treated by PHP as if they aren't set, thus producing undefined index notices.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-17 16:04 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2010-12-17 16:04 UTC] cataphract@php.net 
Almost certainly due to suhosin; see suhosin.get.max_value_length
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 14 20:01:55 2025 UTC