PHP :: Bug #73595 :: parse_url fails if passing '#' in passwd

Bug #73595	parse_url fails if passing '#' in passwd
Submitted:	2016-11-23 20:24 UTC	Modified:	2016-11-23 20:38 UTC
From:	dakusan at castledragmire dot com	Assigned:
Status:	Duplicate	Package:	URL related
PHP Version:	5.6.28	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-11-23 20:24 UTC] dakusan at castledragmire dot com

Description:
------------
I believe this happened in commit "f0f68c72744a42a1c376a832dd01c012c0929e88". The reason I am considering this a bug is that it broke expected behavior in a minor version change.

Test script:
---------------
var_dump(parse_url('mysql://username:xxx#xxx@localhost/databasename'));

Expected result:
----------------
array(5) { ["scheme"]=> string(5) "mysql" ["host"]=> string(9) "localhost" ["user"]=> string(8) "username" ["pass"]=> string(7) "xxx#xxx" ["path"]=> string(13) "/databasename" } 


Actual result:
--------------
FALSE

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-23 20:38 UTC] requinix@php.net

-Status: Open +Status: Duplicate

[2016-11-23 20:38 UTC] requinix@php.net

Allowing # like that was a bug - security bug, no less - which is why it was fixed. You should be urlencode()ing the password.

See also bug #73500

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 22:00:02 2025 UTC