|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8449 register_globals=on and track_vars=on produce strange results for arrays
Submitted: 2000-12-28 02:49 UTC Modified: 2002-02-27 00:32 UTC
Avg. Score:4.0 ± 1.0
Reproduced:0 of 0 (0.0%)
From: omakarenko at cyberplat dot ru Assigned:
Status: Not a bug Package: Arrays related
PHP Version: 4.1.0RC1 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: omakarenko at cyberplat dot ru
New email:
PHP Version: OS:


 [2000-12-28 02:49 UTC] omakarenko at cyberplat dot ru
I was trying to make the example as short as possible so it
looks stupid but it clearly demonstrates the problem. 

Two short examples o *correct* behaviour first:

Example 1:
<form action="bug.php?age=12" method=post>
<input type=text size=32 name=sname>

the form sets age using url path and sname using post. I could use cookies for age but the example longer. The idea is to simultaniously use several different methods to pass the variables. Nothing unusual here.

tarck_vars and register_globals are both on so in bug.php
I have access to $HTTP_GET_VARS[age],$HTTP_POST_VARS[sname] and to $age, $sname. I have no $HTTP_GET_VARS[sname] and $HTTP_POST_VARS[age] and I should not to. So far so good.

Example 2:
let's try the following:

<form action="bug.php?sname=Pupkin" method=post>
<input type=text size=32 name=sname value='Collins'>

I use the same variable name in both requests.
Now I have $HTTP_GET_VARS[sname] == 'Pupkin' and $HTTP_POST_VARS[sname]='Collins' and that is also correct and that is how can I check what method was used to pass the variable (the global $sname value depends on variables_order ofcourse)

Example 3: the bug

but let's put the variables into array:

<form action="bug?person[age]=12" method=post>
<input type=text size=32 name=person[sname]

Now I expect to have $person[age],$person[$sname] in my global space and $HTTP_POST_VARS[person][sname],
$HTTP_GET_VARS[person][age]... right?

The bug is that I also have both $HTTP_POST_VARS[person][age] and

$HTTP_GET_VARS[person][sname] defined...

Do you see the problem? person[age] has somehow propagated into $HTTP_POST_VARS while I had no person[age] in my post request... Now I have no way to find how was that variable passed to my script... If I have an person[id] defined in the cookie then I suddenly have also person[age] and person[sname] defined in HTTP_COOKIE_VARS and pesron[id] defined in both POST_VARS and GET_VARS!

looks like a bug for me.




Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-19 02:57 UTC]
This is fixed at least in PHP 4.0.6.
Maybe even earlier.


 [2001-08-19 03:01 UTC]
Oops. I had register_globals=off in my php.ini. 
Then this works as expected. But when it is On, not.


 [2001-10-21 01:27 UTC]
Reproduced also with PHP 4.1.0RC1

Here is the complete script for all the lazy developers
to try with:

<form action="form.php?person[age]=12" method=post>
<input type=text size=32 name=person[sname]

echo "HTTP_POST_VARS<br>";
echo "<p>";
echo "HTTP_GET_VARS<br>";
echo "<p>";
echo "_POST<br>";
echo "<p>";
echo "_GET<br>";


 [2002-02-26 22:58 UTC]
I looked into this...
When you have register globals on it registers the
$person as a global array when parsing the get request it adds [age] to the global $person array then when the post requet is parsed then it finds the global array and adds the [sname] to the same array. So this is what should happen.

why are you using get and post requests...
why don't you just use 

<input type=hidden name=person[blah] value=blah>

 [2002-02-27 00:32 UTC]
We should get rid register_globals feature from PHP5 :)
(There is import_request_variable() for compatibility also)
 [2003-05-02 14:19 UTC] oregon at pobox dot com
Why is this bug marked as Bogus?  It's absolutely a bug and it needs to be fixed because it's breaking correctly written scripts that worked in earlier PHP versions.  I'll re-submit it...
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Jun 28 21:05:46 2022 UTC