|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67296 filter_input doesn't validate variables set by nginx/php-fpm
Submitted: 2014-05-16 22:34 UTC Modified: 2014-07-02 20:24 UTC
From: fleshgrinder at gmx dot at Assigned:
Status: Duplicate Package: Filter related
PHP Version: 5.6.0beta3 OS: Debian Wheezy
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
34 - 18 = ?
Subscribe to this entry?

 [2014-05-16 22:34 UTC] fleshgrinder at gmx dot at
I'm running nginx which communicates via FastCGI to php-fpm. The filter_input() function doesn't validate any of the variables which are sent via FastCGI within the global $_SERVER array.

Test script:

foreach ($_SERVER as $variable_name => $value) {
  var_dump(filter_input(INPUT_SERVER, $variable_name, FILTER_UNSAFE_RAW));


Expected result:
The filter_input() function should validate the variable within the $_SERVER array. I know that filter_input() can't be used if you set something in your code but in my opinion it should accept the data that was sent via FastCGI. Otherwise the function is pretty useless for non Apache users.

Actual result:
Always returns NULL.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-06-03 07:45 UTC]
-Status: Open +Status: Feedback
 [2014-06-03 07:45 UTC]
any chance that you are using auto_globals_jit?
somebody else also reported on the mailing list that input_filter won't trigger the jit variable, so I wonder if this is the same or a different bug.
 [2014-06-03 08:21 UTC] fleshgrinder at gmx dot at
Yes, I am. Here's my complete PHP configuration:
 [2014-07-02 20:24 UTC]
-Status: Feedback +Status: Duplicate
 [2014-07-02 20:24 UTC]
I've verified that this isn't related to auto_globals_jit, but a duplicate of and seems to be present for a while now. :/
I will try to get it fixed, I will close this as a duplicate, you can track the progress on the other bugreport.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 01:05:53 2022 UTC