php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54703 When containing a null character, $_GET variable not set (properly)
Submitted: 2011-05-10 19:21 UTC Modified: 2011-05-11 11:15 UTC
From: php at tracking-celebs dot info Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.17 OS:
Private report: No CVE-ID: None
 [2011-05-10 19:21 UTC] php at tracking-celebs dot info
Description:
------------
When a null character is present in the value of a variable in the request string (encoded as %00), said variable will either not be set in $_GET at all (linux) or be set improperly (null character is escaped; win32)


Test script:
---------------
<?php
print_r($_GET);

if (isset($_GET['fb']))
{
 echo strlen($_GET['fb']);
}
else
{
 echo '<a href="?fb=foo%00bar">click me</a>';
}


Expected result:
----------------
After clicking the link:
Array
(
    [fb] => foo�bar
)
7


Actual result:
--------------
After clicking the link:

- On a linux setup:
Array
(
)
<a href="?fb=foo%00bar">click me</a>

- On a win32 setup:
Array
(
    [fb] => foo\0bar
)
8


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-10 19:39 UTC] rasmus@php.net
-Status: Open +Status: Feedback
 [2011-05-10 19:39 UTC] rasmus@php.net
On Linux this is not true unless you have something specifically filtering these 
on you. Without ext/filter, suhosin or your own filter code, nulls go through 
fine. See: http://progphp.com/null.php?fb=foo%00bar
And the source for the script: http://progphp.com/null.phps

And it shouldn't be any different on Windows.
 [2011-05-10 23:31 UTC] php at tracking-celebs dot info
-Status: Feedback +Status: Open
 [2011-05-10 23:31 UTC] php at tracking-celebs dot info
On that linux machine there is suhosin indeed, so it could be causing the problem. I just tried on another computer with a new vanilla php-5.2.17 and then got the same results as did on windows.

Would seem indeed to be caused by suhosin; however i just added suhosin on there and it still worked then as before, so there must be something else on that other computer...

Anyways, can't reproduce it with a vanilla php, so that's that. I got things mixed up, seems there's no bug here after all; Apologies.
 [2011-05-11 11:15 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-05-11 11:15 UTC] johannes@php.net
No bug. Closing.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC