php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #6685 %20 mis-converted in GET mechanism
Submitted: 2000-09-12 13:39 UTC Modified: 2002-12-06 19:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: waldschrott@php.net Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.0.2 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2000-09-12 13:39 UTC] waldschrott@php.net
I guess this is has the potential to be a serious bug since I think I?m allowed to take any key/value pairs I want to if encoded correctly, very simple to reproduce

Call a page with this QueryString
?%20asd%20%20=%20asdf  (you can replace %20 with + if you want to, same effect)

and look what happened to to the key part of key=value
<?php var_dump($HTTP_GET_VARS); ?>

all leading spaces are stripped, all trailing ones converted to "_" - that really does not make sense, I don?t know what else is converted with mystic rules, I found these

The only workaround is to access the QueryString directly which seems to be fine (of course)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-09-12 13:41 UTC] stas@php.net
And what would you expect it to do? You cannot have variable names with spaces. 
 [2000-09-12 13:46 UTC] waldschrott@php.net
since we all (almost) agree that register_globals should be deprecated ASAP and array indices with spaces are legal and URIs containg QUERYSTRING with them too, well at least the $HTTP_GET_VARS array should contain the non-converted information, if register_globals=on this mechanism can be applied for global variables

We shouldn?t obscure URI data.
 [2000-09-16 17:59 UTC] stas@php.net
On the second though, you _can_ have variables with spaces (actually, you can name variable with every string you can put into variable), so I don't quite understand the maning of that variable name translation. Do we really need it? Anybody will have problems if we remove it?
 [2000-11-21 03:35 UTC] sniper@php.net
I think that having spaces in variable names is not
a good thing (tm). could someone please explain me 
how it would be useful at all?

--Jani
 [2000-11-21 15:37 UTC] waldschrott@php.net
well why do you think are cased variables needed? why do we
need to be able to use variables containg ?,?,? etc.

I'd say escpecially with variable variables this could be
useful in some cases
 [2002-06-02 13:29 UTC] derick@php.net
Seems not important enough to anybody... suspending.
 [2003-03-05 05:11 UTC] flystop at gmx dot net
The problem is not only the conversion of spaces but all characters not allowed in variable names. With register_globals=Off the keys in the superglobals should not be changed I think. Sometimes it IS important to use the original names (e.g. in my case passing cookie-data to external pages which use dots in cookie names).

I do think many people who rely on the translation could have problems if it is removed completely.

Maybe a configuration option could be used? This way everybody can decide to use the translation or not.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Oct 18 16:01:25 2018 UTC