ID: 30523 User updated by: support at ruishi dot info Reported By: support at ruishi dot info Status: Open Bug Type: URL related Operating System: Linux SUSE PHP Version: 4.3.9 New Comment:
Hello, some investigation reveals that the hosting company has its reasons to run it using the CGI API, mainly because of the security related to multi hosting users. If PHP is run using the Apache API, then every hosting user can view other users' file (e.g. config files containing passwords). This problem seems to have existed for extremely long time (several years), hope it wouldn't stay there forever... No guru could get rid of it? Is there any way around? See, one normally has to host his files on an ISP's machine, but PHP is usually installed using the CGI API because of the security reason mentioned above. If $_GET does not work (probably other $_VARs as well), then most php scripts would be broken. How could the Web site survive? Has anyone collected information about which OSes are free from this bug? SUSE seems to be problematic, how about debian and else? Previous Comments: ------------------------------------------------------------------------ [2004-10-22 11:10:36] support at ruishi dot info in the output of phpinfo(), there does exist a line "Server API: CGI". I will check with our sysadmin to see if we can solve it by making it an Apache2 module. Stay tuned please. More comments and suggestions are welcome. ------------------------------------------------------------------------ [2004-10-22 00:57:24] scottm at spamcop dot net We've had customers with a similar issue but never found out the cause of it, we had null session paramaters in the query string if they were using cookies but for some reason or another some hosts just didn't work. We were never able to find out what caused this in the first place. I've just searched through a few of the previous support tickets and they varied from PHP 4.3.1 to PHP 4.3.4. They all ran PHP as a CGI though. Do you run PHP as a CGI? ------------------------------------------------------------------------ [2004-10-21 23:55:32] support at ruishi dot info A typo in the submission (in the section of Expected Result): ------ For Link 2, the correct result should be: Array ( [tid] => 123 [a] => 1 [b] => 2 [c] => 3 ) ------ should be: Array ( [tid] => 123 [a] => 1 [b] => 2 [c] => NULL or ''?) ------------------------------------------------------------------------ [2004-10-21 23:19:42] support at ruishi dot info Description: ------------ The bug described earlier in http://bugs.php.net/bug.php?id=28221 by some sir else still persists in PHP-4.3.9, Suse Linux. The problem is: The request "page.php?var1=a&var2=b&var3=c" sets the $_GET array correctly, but a slightly different request "page.php?var1=a&var2=b&var3=" with a null $var3 will make the whole $_GET array null! A live demo can be found at: Everything is fine with Link 1: http://www.ruishi.info/forum/testwindnumeric.php?tid=123&a=1&b=2&c=3 Then $_GET becomes null is the last variable $c is null in Link 2: http://www.ruishi.info/forum/testwindnumeric.php?tid=123&a=1&b=2&c= Reproduce code: --------------- $tid=<?=$_GET['tid']?><br> <?php require_once('./testglobal.php'); echo "$tid<br>"; echo $_GET['tid']; echo "\$_GET="; print_r($_GET); echo "<br>"; if(!is_numeric($_GET['tid'])) echo('invalid id number'); ?> In testglobal.php, the related sections: print_r($_GET); echo "<br>"; unset($GLOBALS,$_ENV,$HTTP_ENV_VARS,$_REQUEST,$HTTP_POST_VARS,$HTTP_GET_VARS,$HTTP_POST_FILES,$HTTP_COOKIE_VARS); $Is_Gmqgg=get_magic_quotes_gpc(); if(!$Is_Gmqgg){ Add_S($_POST); Add_S($_GET); Add_S($_COOKIE); } print_r($_GET); echo "<br>"; ...... Expected result: ---------------- For Link 1, the result is correct. For Link 2, the correct result should be: Array ( [tid] => 123 [a] => 1 [b] => 2 [c] => 3 ) Actual result: -------------- For Link 2, the actual incorrect result is: Array ( ) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30523&edit=1
