|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60395 Null byte in source causes file to be ignored, no error or warning reported
Submitted: 2011-11-26 23:17 UTC Modified: 2011-11-28 15:24 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: nh at ngin dot de Assigned:
Status: Open Package: Unknown/Other Function
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: nh at ngin dot de
New email:
PHP Version: OS:


 [2011-11-26 23:17 UTC] nh at ngin dot de
NULL bytes in the source code seem to confuse PHP. See test script below. The 
code in the file is not executed, and no error or warning is shown.

The result is the same if you run it from the command line or from a web server 
(ruling out a web server problem).

This bug has been discovered on MacOS X (10.6.8) with a default, unpatched PHP 
5.3.6; but it has been reproduced (so far) as well on Debian 2.6.26-2 with the 
most recent version of PHP.

It does not matter where the null byte(s) is/are placed. They can even be inside 
a comment!

I discovered this bug by accident as I had inadvertently copied a NULL-byte into 
a comment inside a file that I was require()'ing from elsewhere. The require()'d 
code was not run, but, even with error_reporting(-1), no warning or error 
message was displayed. I couldn't figure out what was wrong until I looked at 
the file with a text editor that can make non-printing characters visible. 
Removing the NULL byte fixed the problem.

Test script:
This is a 1-line PHP script that contains a single NULL byte:

Just showing printable chars, the contents of this file is:
<?php echo "Hi"; ?>

The NULL byte is located after the closing semicolon. (However, the exact location is irrelevant in order to reproduce the bug.)

Expected result:
The string 'Hi' should be output.

Actual result:
Instead, PHP outputs a number of non-printing characters (usually shown as 
question marks). Depending on the position and number of NULL bytes in the source 
code, the output may also be nothing at all.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-28 05:52 UTC]
you must compile your php with zend-multibyte supporting. 

try this, php -ddetect_unicode = 0 test.php

I think this is not a bug,  but a side-effect of zend multibyte auto-unicode-
detection :)
 [2011-11-28 05:53 UTC]
sorry, I mean, you must compiled your php with zend-multibyte supprot.  :)
 [2011-11-28 14:23 UTC] nh at ngin dot de
Well, but since it occurs with the default (factory) config/installation of at 
least two systems, it could be considered a bug. In either way, the behaviour that 
is observed is unexpected, and at least some kind of warning/informational message 
should be output.
 [2011-11-28 14:25 UTC] nh at ngin dot de
Oh and BTW, zend_multibyte *is* enabled in my install.

Configure Command =>  '/private/var/tmp/apache_mod_php/apache_mod_php-
53.6~2/php/configure'  '--prefix=/usr' '--mandir=/usr/share/man' '--
infodir=/usr/share/info' '--disable-dependency-tracking' '--
sysconfdir=/private/etc' '--with-apxs2=/usr/sbin/apxs' '--enable-cli' '--with-
config-file-path=/etc' '--with-libxml-dir=/usr' '--with-openssl=/usr' '--with-
kerberos=/usr' '--with-zlib=/usr' '--enable-bcmath' '--with-bz2=/usr' '--enable-
calendar' '--with-curl=/usr' '--enable-exif' '--enable-ftp' '--with-gd' '--with-
jpeg-dir=/BinaryCache/apache_mod_php/apache_mod_php-53.6~2/Root/usr/local' '--
'--enable-gd-native-ttf' '--with-ldap=/usr' '--with-ldap-sasl=/usr' '--enable-
mbstring' '--enable-mbregex' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--
with-pdo-mysql=mysqlnd' '--with-mysql-sock=/var/mysql/mysql.sock' '--without-
pear' '--with-iodbc=/usr' '--enable-shmop' '--with-snmp=/usr' '--enable-soap' '-
-enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--
enable-wddx' '--with-xmlrpc' '--with-iconv-dir=/usr' '--with-xsl=/usr' '--
enable-zend-multibyte' '--enable-zip' '--with-pcre-regex=/usr'
 [2011-11-28 15:24 UTC]
yes, my english is a little poor, I meant that because you have compiled your php 
with zend muiltbyte enabled, so the NULL byte in the script trigger  auto-detect-
unicode mechanism.

so you can suppress this mechanism by -d detect_unicode=Off (or configed in 

thanks :)
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Apr 16 02:01:29 2024 UTC