php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #8449 register_globals=on and track_vars=on produce strange results for arrays
Submitted: 2000-12-28 02:49 UTC Modified: 2002-02-27 00:32 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:0 of 0 (0.0%)
From: omakarenko at cyberplat dot ru Assigned:
Status: Not a bug Package: Arrays related
PHP Version: 4.1.0RC1 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
25 - 23 = ?
Subscribe to this entry?

 
 [2000-12-28 02:49 UTC] omakarenko at cyberplat dot ru
I was trying to make the example as short as possible so it
looks stupid but it clearly demonstrates the problem. 

Two short examples o *correct* behaviour first:

Example 1:
<form action="bug.php?age=12" method=post>
<input type=text size=32 name=sname>
</form>

the form sets age using url path and sname using post. I could use cookies for age but the example longer. The idea is to simultaniously use several different methods to pass the variables. Nothing unusual here.

tarck_vars and register_globals are both on so in bug.php
I have access to $HTTP_GET_VARS[age],$HTTP_POST_VARS[sname] and to $age, $sname. I have no $HTTP_GET_VARS[sname] and $HTTP_POST_VARS[age] and I should not to. So far so good.

Example 2:
let's try the following:

<form action="bug.php?sname=Pupkin" method=post>
<input type=text size=32 name=sname value='Collins'>
</form>

I use the same variable name in both requests.
Now I have $HTTP_GET_VARS[sname] == 'Pupkin' and $HTTP_POST_VARS[sname]='Collins' and that is also correct and that is how can I check what method was used to pass the variable (the global $sname value depends on variables_order ofcourse)

Example 3: the bug

but let's put the variables into array:

<form action="bug?person[age]=12" method=post>
<input type=text size=32 name=person[sname]
</form>

Now I expect to have $person[age],$person[$sname] in my global space and $HTTP_POST_VARS[person][sname],
$HTTP_GET_VARS[person][age]... right?

The bug is that I also have both $HTTP_POST_VARS[person][age] and

$HTTP_GET_VARS[person][sname] defined...

Do you see the problem? person[age] has somehow propagated into $HTTP_POST_VARS while I had no person[age] in my post request... Now I have no way to find how was that variable passed to my script... If I have an person[id] defined in the cookie then I suddenly have also person[age] and person[sname] defined in HTTP_COOKIE_VARS and pesron[id] defined in both POST_VARS and GET_VARS!

looks like a bug for me.

Comments?

oleg





Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-19 02:57 UTC] sniper@php.net
This is fixed at least in PHP 4.0.6.
Maybe even earlier.

--Jani

 [2001-08-19 03:01 UTC] sniper@php.net
Oops. I had register_globals=off in my php.ini. 
Then this works as expected. But when it is On, not.

--Jani

 [2001-10-21 01:27 UTC] sniper@php.net
Reproduced also with PHP 4.1.0RC1

Here is the complete script for all the lazy developers
to try with:

form.php:
---------
<form action="form.php?person[age]=12" method=post>
<input type=text size=32 name=person[sname]
</form>
<br>
<?php

echo "HTTP_POST_VARS<br>";
print_r($HTTP_POST_VARS);
echo "<p>";
echo "HTTP_GET_VARS<br>";
print_r($HTTP_GET_VARS);
echo "<p>";
echo "_POST<br>";
print_r($_POST);
echo "<p>";
echo "_GET<br>";
print_r($_GET) 

?>

 [2002-02-26 22:58 UTC] rodif_bl@php.net
I looked into this...
When you have register globals on it registers the
$person as a global array when parsing the get request it adds [age] to the global $person array then when the post requet is parsed then it finds the global array and adds the [sname] to the same array. So this is what should happen.

why are you using get and post requests...
why don't you just use 

<input type=hidden name=person[blah] value=blah>


 [2002-02-27 00:32 UTC] yohgaki@php.net
We should get rid register_globals feature from PHP5 :)
(There is import_request_variable() for compatibility also)
 [2003-05-02 14:19 UTC] oregon at pobox dot com
Why is this bug marked as Bogus?  It's absolutely a bug and it needs to be fixed because it's breaking correctly written scripts that worked in earlier PHP versions.  I'll re-submit it...
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC