From: Operating system: Linux; Ubuntu 10.04, krnl 2.6.32 PHP version: 5.3.4 Package: Variables related Bug Type: Bug Bug description:Long get requests fails
Description: ------------ I'm doing an integration against BBS, one of the bigger (if not biggest) online payment systems in Norway. After validating a credit card on an external site, BBS sends the user back to my site in a GET request, along with a long hash (around 850 characters), for a total URL-length of 860 characters. For some reason, I can't get access to the GET variable, unless I trim the length of the parameter down to 512 characters. 513 fails. Using two parameters of 512 chars each works fine, two parameters where the first is >512 chars fails on both, if the last one is >512 the first works fine. If I print_r the $_SERVER variable, the querystring contains the full parameter even though $_GET is empty. Access logs always contain the correct request, and when GET is empty, an error of type undefined index is triggered as expected. HTTP doesn't specify any limits on GET-requests, major browsers support from 2000 characters and upwards (including MS Internet Explorer), and the (unchanged) default in Apache is around 8000 characters. If Apache was the problem, a http-413-error would have been triggered indicating a too long request. I'm currently using php 5.3.2, along with Apache 2.2.14, and also tested php 5.3.3/Apache 2.2.16. This works fine on another server we are running using php 5.2.4 and apache 2.2.8. If you need more information, or want me to do more tests, I'm available on e-mail: [email protected] and IRC: bjelleklang, mostly on Freenode.net. I've put an example script with the source code below at http://pluto.bjelleklang.org/index.php?p=&p2=. Just add values to the two parameters. This server is running PHP 5.3.3 regards, Chris Test script: --------------- <?php $d = $_GET['p']; $d2 = $_GET['p2']; echo "Length: " . strlen($d) . '<br>'; echo "Length: " . strlen($d2) . '<br>'; print_r($GLOBALS); print_r( $_SERVER); print_r($_GET); print_r($_SESSION); print_r($_REQUEST); print_r($_ENV); ?> Expected result: ---------------- I'd expect to see the actual length of the GET parameters, as well as entries in the various superglobals. Actual result: -------------- Nothing in the superglobals, GET parameters treated by PHP as if they aren't set, thus producing undefined index notices. -- Edit bug report at http://bugs.php.net/bug.php?id=53564&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=53564&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=53564&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=53564&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=53564&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=53564&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=53564&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=53564&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=53564&r=needscript Try newer version: http://bugs.php.net/fix.php?id=53564&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=53564&r=support Expected behavior: http://bugs.php.net/fix.php?id=53564&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=53564&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=53564&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=53564&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53564&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=53564&r=dst IIS Stability: http://bugs.php.net/fix.php?id=53564&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=53564&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=53564&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=53564&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=53564&r=mysqlcfg
