php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #60219 POSTDATA periods (.) being converted to underscores (_)
Submitted: 2011-11-04 14:04 UTC Modified: 2021-07-02 15:37 UTC
Votes:16
Avg. Score:4.4 ± 1.1
Reproduced:15 of 15 (100.0%)
Same Version:9 (60.0%)
Same OS:9 (60.0%)
From: kieran at menor dot dk Assigned:
Status: Suspended Package: Unknown/Other Function
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-11-04 14:04 UTC] kieran at menor dot dk
Description:
------------
This is documented "intended" behavior as per this section of the manual:

http://www.php.net/manual/en/language.variables.external.php#language.variables.external.dot-in-names

I'm guessing it's a leftover from back when register_globals a common thing. It's been reported as a bug before a long time ago, and dismissed:

https://bugs.php.net/bug.php?id=30956

... but this is 2011, and I think it's worth giving it another go. Here's why:

First of all, nobody assigns POSTDATA directly to variables anymore. It all goes through $_POST;
Secondly, the claim that you can't have periods in variable names is bogus (see test script).
Lastly, the period is a good seperator to have available, and I understand that certain services such as OpenID depend on it, as noted here: http://stackoverflow.com/questions/68651/can-i-get-php-to-stop-replacing-characters-in-get-or-post-arrays#1939911

Test script:
---------------
${'sure.you.can'} = 'Foo';
var_dump($GLOBALS['sure.you.can']);


Patches

preserve-external-variable-names-ini-option (last revision 2012-01-24 00:11 UTC by kenaniah at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-04 14:10 UTC] kieran at menor dot dk
Not to mention, it's also potentially confusing and unexpected behavior for people who didn't happen to read that tiny paragraph of the manual.
 [2011-11-15 04:20 UTC] pablitobof at yahoo dot com dot mx
PHP 5.4 alpha1 has just been released which removes register_globals.  It seems appropriate that there would be a matching move towards removing the now unnecessary translation of characters in requests.
 [2012-01-23 20:08 UTC] kcerny at wirelesscapital dot com
The relevant code is found in the source file main/php_variables.c at line 94:

        /* ensure that we don't have spaces or dots in the variable name (not 
binary safe) */
        for (p = var; *p; p++) {
                if (*p == ' ' || *p == '.') {
                        *p='_';
                } else if (*p == '[') {
                        is_array = 1;
                        ip = p;
                        *p = 0;
                        break;
                }
        }

I'm not sure what repercussions we'll face by removing that first if statement. 
I would suggest controlling this replacement behavior using an INI setting for 
backwards compatibility.
 [2012-01-23 22:32 UTC] tim at xi dot co dot nz
See: 

https://wiki.php.net/rfc/url_dots
 [2021-05-28 18:06 UTC] nospam at unclassified dot de
I just ran into this as well. I set a cookie with setcookie() and it just wasn't read anymore. Firefox showed it to me but PHP was just blind. Dumping $_COOKIE showed me another cookie with an underscore where I had put a dot. PHP still does that crap from the last century.

Doesn't seem like anybody at the PHP team cares about doing things right for once. How typical. I guess PHP remains a hacky language forever, not suitable for serious work.

PS: Voting is broken in this bug tracker, too. I voted and got an empty page. Probably an unhandled server error, due to some weirdness of the PHP language.
 [2021-05-28 18:11 UTC] ggggh dot fggg at fghb dot cf
and why can't you just not use a-z and underlines like every normal human being does for variable names?
 [2021-07-02 15:37 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2021-07-02 15:37 UTC] cmb@php.net
This change would constitute a serious BC break, and such requires
the RFC process[1].  Instead of complaining, just do the work.
Thanks!

[1] <https://wiki.php.net/rfc/howto>
 [2021-07-22 19:15 UTC] nospam at unclassified dot de
Sorry, that's your process not mine. To me, this isn't a serious BC break but just a serious PITA. And a laughable behaviour of a notoriously unprofessional language (which it will probably remain forever, because of BC).
 [2021-07-22 19:22 UTC] rtrtrtrtrt at dfdfdfdf dot dfd
> And a laughable behaviour of a notoriously unprofessional language

funny when people using non-alphanumeric chars for variables talking about unprofessional
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Jul 29 16:01:24 2021 UTC