|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55102 add parameter to parse_str to avoid sanitizing of root keys
Submitted: 2011-07-01 09:31 UTC Modified: 2011-07-01 19:02 UTC
Avg. Score:4.9 ± 0.3
Reproduced:7 of 7 (100.0%)
Same Version:3 (42.9%)
Same OS:3 (42.9%)
From: giorgio dot liscio at email dot it Assigned:
Status: Open Package: URL related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: giorgio dot liscio at email dot it
New email:
PHP Version: OS:


 [2011-07-01 09:31 UTC] giorgio dot liscio at email dot it
hi, this is probably an old behavior to make php backward compatible when register_global was enabled

parse_str("hey all=1",$r); ---> array('hey_all' => '1');

parse_str is now widely used in xmlhttprequest communication and may cause a lot of issues and waste of time when debugging because we are not able to know how exactly what type of character sanitizing is made to root keys

yep, only root keys are sanitized because

parse_str("aaa[hey all]=1",$r); ---> array('aaa' => array('hey all', '1'));

works like expected

so my request is not to change the default behavior of this function (and how $_GET $_POST etc are populated)

but add another parameter to this function for who wants root keys parsed without sanitizing

void parse_str ( string $str [, array &$arr ] [, bool $bwcompatible = true])

thank you


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-01 19:02 UTC]
-Type: Bug +Type: Feature/Change Request
 [2011-07-01 19:02 UTC]
Changing to Feature request.
 [2021-09-09 20:08 UTC] rok dot kralj at gmail dot com
This bug has a neat workaround. Just take the root keys, encode them (so dots and other special characters are hidden), then use parse_str.

You can take the code from here, just attribute it.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Sep 25 23:05:53 2022 UTC