I just downloaded and installed the latest aviable version - PHP 4.0.4pl1. Yes, the problem still exists. |-----Original Message----- |From: Bug Database [mailto:[EMAIL PROTECTED]] |Sent: Sunday, February 25, 2001 1:33 PM |To: [EMAIL PROTECTED] |Subject: PHP 4.0 Bug #6919 Updated: URL parameter decoding | | |ID: 6919 |Updated by: sbergmann |Reported By: [EMAIL PROTECTED] |Old-Status: Open |Status: Feedback |Bug Type: PWS related |Assigned To: |Comments: | |Does the problem persist with PHP 4.0.4pl1 or the latest snapshot |from http://snaps.php.net/? | |Previous Comments: |--------------------------------------------------------------------------- | |[2000-12-12 11:43:51] [EMAIL PROTECTED] |User repors it being PWS. | |--------------------------------------------------------------------------- | |[2000-12-12 05:55:11] [EMAIL PROTECTED] |Which webserver is it? | |--------------------------------------------------------------------------- | |[2000-09-28 03:40:20] [EMAIL PROTECTED] |My server is configured to retrieve a file called "index.php" by |default. Thus the following two URLs should give the same result: | |(1) http://.../index.php?a=b&c=d |(2) http://.../?a=b&c=d | |The statement... | |<!PHP print('a['.$a.'] c['.$c.']); ?> | |...results in: | |(1) a[b] c[d] |(2) a[] c[] | |Thus, the parameters seem not to be decoded correctly in the second case. | |Test with HTTP_GET_VARS show the same effect. | |I use the precompiled windows version as found in the download |section. And here is my "php.ini": | |[PHP] | |;;;;;;;;;;;;;;;;;;; |; About this file ; |;;;;;;;;;;;;;;;;;;; |; This file controls many aspects of PHP's behavior. In order for PHP to |; read it, it must be named 'php.ini'. PHP looks for it in the current |; working directory, in the path designated by the environment variable |; PHPRC, and in the path that was defined in compile time (in that order). |; Under Windows, the compile-time path is the Windows directory. The |; path in which the php.ini file is looked for can be overriden using |; the -c argument in command line mode. |; |; The syntax of the file is extremely simple. Whitespace and Lines |; beginning with a semicolon are silently ignored (as you probably |guessed). |; Section headers (e.g. [Foo]) are also silently ignored, even though |; they might mean something in the future. |; |; Directives are specified using the following syntax: |; directive = value |; Directive names are *case sensitive* - foo=bar is different from FOO=bar. |; |; The value can be a string, a number, a PHP constant (e.g. E_ALL |or M_PI), one |; of the INI constants (On, Off, True, False, Yes, No and None) or |an expression |; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo"). |; |; Expressions in the INI file are limited to bitwise operators and |parentheses: |; | bitwise OR |; & bitwise AND |; ~ bitwise NOT |; ! boolean NOT |; |; Boolean flags can be turned on using the values 1, On, True or Yes. |; They can be turned off using the values 0, Off, False or No. |; |; An empty string can be denoted by simply not writing anything |after the equal |; sign, or by using the None keyword: |; |; foo = ; sets foo to an empty string |; foo = none ; sets foo to an empty string |; foo = "none" ; sets foo to the string 'none' |; |; If you use constants in your value, and these constants belong |to a dynamically |; loaded extension (either a PHP extension or a Zend extension), |you may only |; use these constants *after* the line that loads the extension. |; |; All the values in the php.ini-dist file correspond to the builtin |; defaults (that is, if no php.ini is used, or if you delete these lines, |; the builtin defaults will be identical). | | |;;;;;;;;;;;;;;;;;;;; |; Language Options ; |;;;;;;;;;;;;;;;;;;;; | |engine = On ; Enable the PHP scripting |language engine under Apache |short_open_tag = On ; allow the <? tag. otherwise, |only <?php and <script> tags are recognized. |asp_tags = Off ; allow ASP-style <% %> tags |precision = 14 ; number of significant |digits displayed in floating point numbers |y2k_compliance = Off ; whether to be year 2000 compliant |(will cause problems with non y2k compliant browsers) |output_buffering = Off ; Output buffering allows you to |send header lines (including cookies) | ; even |after you send body content, in the price of slowing PHP's | ; output |layer a bit. | ; You can |enable output buffering by in runtime by calling the output | ; buffering |functions, or enable output buffering for all files | ; by |setting this directive to On. |implicit_flush = Off ; Implicit flush tells PHP to tell |the output layer to flush itself | ; |automatically after every output block. This is equivalent to | ; calling |the PHP function flush() after each and every call to print() | ; or echo() |and each and every HTML block. | ; Turning |this option on has serious performance implications, and | ; is |generally recommended for debugging purposes only. |allow_call_time_pass_reference = On ; whether to enable the |ability to force arguments to be | | ; passed by reference at function-call time. This method | | ; is deprecated, and is likely to be unsupported in future | | ; versions of PHP/Zend. The encouraged method of specifying | | ; which arguments should be passed by reference is in the | | ; function declaration. You're encouraged to try and | | ; turn this option Off, and make sure your scripts work | | ; properly with it, to ensure they will work with future | | ; versions of the language (you will receive a warning | | ; each time you use this feature, and the argument will | | ; be passed by value instead of by reference). | |; Safe Mode |safe_mode = Off |safe_mode_exec_dir = |safe_mode_allowed_env_vars = PHP_ |; Setting certain environment variables | | ; may be a potential security breach. | | ; This directive contains a comma-delimited | | ; list of prefixes. In Safe Mode, the | | ; user may only alter environment | | ; variables whose names begin with the | | ; prefixes supplied here. | | ; By default, users will only be able | | ; to set environment variables that begin | | ; with PHP_ (e.g. PHP_FOO=BAR). | | ; Note: If this directive is empty, PHP | | ; will let the user modify ANY environment | | ; variable! |safe_mode_protected_env_vars = LD_LIBRARY_PATH ; This |directive contains a comma- | | ; delimited list of environment variables, | | ; that the end user won't be able to | | ; change using putenv(). | | ; These variables will be protected | | ; even if safe_mode_allowed_env_vars is | | ; set to allow to change them. | | |disable_functions = | ; This directive allows you to disable certain | | ; functions for security reasons. |It receives | | ; a comma separated list of function names. | | ; This directive is *NOT* affected |by whether | | ; Safe Mode is turned on or off. | | | |; Colors for Syntax Highlighting mode. Anything that's acceptable |in <font color=???> would work. |highlight.string = #DD0000 |highlight.comment = #FF8000 |highlight.keyword = #007700 |highlight.bg = #FFFFFF |highlight.default = #0000BB |highlight.html = #000000 | |; Misc |expose_php = On ; Decides whether PHP may |expose the fact that it is installed on the | ; server (e.g., by |adding its signature to the Web server header). | ; It is no security |threat in any way, but it makes it possible | ; to determine |whether you use PHP on your server or not. | | | |;;;;;;;;;;;;;;;;;;; |; Resource Limits ; |;;;;;;;;;;;;;;;;;;; | |max_execution_time = 30 ; Maximum execution time of each |script, in seconds |memory_limit = 8388608 ; Maximum amount of memory a script |may consume (8MB) | | |;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |; Error handling and logging ; |;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |; error_reporting is a bit-field. Or each number up to get |desired error reporting level |; E_ALL - All errors and warnings |; E_ERROR - fatal run-time errors |; E_WARNING - run-time warnings (non fatal errors) |; E_PARSE - compile-time parse errors |; E_NOTICE - run-time notices (these are |warnings which often result from a bug in |; your code, but it's |possible that it was intentional (e.g., using an |; uninitialized variable |and relying on the fact it's automatically |; initialized to an empty string) |; E_CORE_ERROR - fatal errors that occur during PHP's |initial startup |; E_CORE_WARNING - warnings (non fatal errors) that occur |during PHP's initial startup |; E_COMPILE_ERROR - fatal compile-time errors |; E_COMPILE_WARNING - compile-time warnings (non fatal errors) |; E_USER_ERROR - user-generated error message |; E_USER_WARNING - user-generated warning message |; E_USER_NOTICE - user-generated notice message |; Examples: |; error_reporting = E_ALL & ~E_NOTICE | ; show all errors, except for notices |; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; |show only errors |error_reporting = E_ALL & ~E_NOTICE ; |Show all errors except for notices |display_errors = On ; Print out errors (as a part of the output) | ; For production |web sites, you're strongly encouraged | ; to turn this |feature off, and use error logging instead (see below). | ; Keeping |display_errors enabled on a production web site may reveal | ; security |information to end users, such as file paths on your Web server, | ; your database |schema or other information. |log_errors = Off ; Log errors into a log |file (server-specific log, stderr, or error_log (below)) | ; As stated above, |you're strongly advised to use error logging in place of | ; error displaying |on production web sites. |track_errors = Off ; Store the last error/warning |message in $php_errormsg (boolean) |;error_prepend_string = "<font color=ff0000>" ; string to output |before an error message |;error_append_string = "</font>" ; string to output |after an error message |;error_log = filename ; log errors to specified file |;error_log = syslog ; log errors to syslog |(Event Log on NT, not valid in Windows 95) |warn_plus_overloading = Off ; warn if the + |operator is used with strings | | |;;;;;;;;;;;;;;;;; |; Data Handling ; |;;;;;;;;;;;;;;;;; |variables_order = "EGPCS" ; This directive |describes the order in which PHP registers | ; |GET, POST, Cookie, Environment and Built-in variables (G, P, | ; |C, E & S respectively, often referred to as EGPCS or GPC). | ; |Registration is done from left to right, newer values override | ; |older values. |register_globals = On ; Whether or not to |register the EGPCS variables as global | ; |variables. You may want to turn this off if you don't want | ; |to clutter your scripts' global scope with user data. This makes | ; |most sense when coupled with track_vars - in which case you can | ; |access all of the GPC variables through the $HTTP_*_VARS[], | ; variables. |register_argc_argv = On ; This directive |tells PHP whether to declare the argv&argc | ; |variables (that would contain the GET information). If you | ; |don't use these variables, you should turn it off for | ; |increased performance |track_vars = On ; enable |the $HTTP_*_VARS[] arrays, where * is one of | ; |ENV, POST, GET, COOKIE or SERVER. |gpc_order = "GPC" ; This directive is |deprecated. Use variables_order instead. | |; Magic quotes |magic_quotes_gpc = On ; magic quotes for |incoming GET/POST/Cookie data |magic_quotes_runtime= Off ; magic quotes for |runtime-generated data, e.g. data from SQL, from exec(), etc. |magic_quotes_sybase = Off ; Use Sybase-style |magic quotes (escape ' with '' instead of ') | |; automatically add files before or after any PHP document |auto_prepend_file = |auto_append_file = | |; As of 4.0b4, PHP always outputs a character encoding by default in |; the Content-type: header. To disable sending of the charset, simply |; set it to be empty. |; PHP's built-in default is text/html |default_mimetype = "text/html" |;default_charset = "iso-8859-1" | |;;;;;;;;;;;;;;;;;;;;;;;;; |; Paths and Directories ; |;;;;;;;;;;;;;;;;;;;;;;;;; |include_path = ; UNIX: "/path1:/path2" |Windows: "path1;path2" |doc_root = C:ServerHTTP |; the root of the php pages, used only if nonempty |user_dir = ; |the directory under which php opens the script using /~username, |used only if nonempty |;upload_tmp_dir = ; temporary |directory for HTTP uploaded files (will use system default if not |specified) |upload_max_filesize = 2097152 ; 2 Meg default limit on file uploads |extension_dir = C:ServerPHP ; |directory in which the loadable extensions (modules) reside |enable_dl = On ; Whether |or not to enable the dl() function. | |; The dl() function does NOT properly work in multithreaded | |; servers, such as IIS or Zeus, and is automatically disabled | |; on them. | | |;;;;;;;;;;;;;;;;;;;;;; |; Dynamic Extensions ; |;;;;;;;;;;;;;;;;;;;;;; |; if you wish to have an extension loaded automaticly, use the |; following syntax: extension=modulename.extension |; for example, on windows, |; extension=msql.dll |; or under UNIX, |; extension=msql.so |; Note that it should be the name of the module only, no directory |information |; needs to go here. Specify the location of the extension with |the extension_dir directive above. | | |;Windows Extensions |;extension=php_nsmail.dll |;extension=php_calendar.dll |;extension=php_dbase.dll |;extension=php_filepro.dll |;extension=php_gd.dll |;extension=php_dbm.dll |;extension=php_mssql.dll |;extension=php_zlib.dll |;extension=php_filepro.dll |;extension=php_imap4r2.dll |;extension=php_ldap.dll |;extension=php_crypt.dll |;extension=php_msql2.dll |;extension=php_odbc.dll |; Note that MySQL support is now built in, so no dll is needed for it. | |;;;;;;;;;;;;;;;;;;; |; Module Settings ; |;;;;;;;;;;;;;;;;;;; | |[Syslog] |define_syslog_variables = Off ; Whether or not to define |the various syslog variables, | ; |e.g. $LOG_PID, $LOG_CRON, etc. Turning it off is a | ; |good idea performance-wise. In runtime, you can define | ; |these variables by calling define_syslog_variables() | | |[mail function] |SMTP = localhost |;for win32 only |sendmail_from = [EMAIL PROTECTED] ;for win32 only |;sendmail_path = |;for unix only, may supply arguments as well (default is 'sendmail -t -i') | |[Debugger] |debugger.host = localhost |debugger.port = 7869 |debugger.enabled = False | |[Logging] |; These configuration directives are used by the example logging mechanism. |; See examples/README.logging for more explanation. |;logging.method = db |;logging.directory = /path/to/log/directory | |[SQL] |sql.safe_mode = Off | |[ODBC] |;uodbc.default_db = Not yet implemented |;uodbc.default_user = Not yet implemented |;uodbc.default_pw = Not yet implemented |uodbc.allow_persistent = On ; allow or prevent persistent links |uodbc.check_persistent = On ; check that a connection |is still validbefore reuse |uodbc.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |uodbc.max_links = -1 ; maximum |number of links (persistent+non persistent). -1 means no limit |uodbc.defaultlrl = 4096 ; Handling of LONG fields. |Returns number of bytes to variables, 0 means passthru |uodbc.defaultbinmode = 1 ; Handling of binary data. |0 means passthru, 1 return as is, 2 convert to char |; See the documentation on odbc_binmode and odbc_longreadlen for |an explanation of uodbc.defaultlrl |; and uodbc.defaultbinmode | |[MySQL] |mysql.allow_persistent = On ; allow or prevent persistent link |mysql.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |mysql.max_links = -1 ; maximum |number of links (persistent+non persistent). -1 means no limit |mysql.default_port = ; default port |number for mysql_connect(). If unset, | ; |mysql_connect() will use the $MYSQL_TCP_PORT, or the mysql-tcp | ; |entry in /etc/services, or the compile-time defined MYSQL_PORT | ; |(in that order). Win32 will only look at MYSQL_PORT. |mysql.default_socket = ; default socket name for |local MySQL connects. If empty, uses the built-in | ; |MySQL defaults |mysql.default_host = ; default host for |mysql_connect() (doesn't apply in safe mode) |mysql.default_user = ; default user for |mysql_connect() (doesn't apply in safe mode) |mysql.default_password = ; default password for |mysql_connect() (doesn't apply in safe mode) | ; |Note that this is generally a *bad* idea to store passwords | ; |in this file. *Any* user with PHP access can run | ; |'echo cfg_get_var("mysql.default_password")' and reveal that | ; |password! And of course, any users with read access to this | ; |file will be able to reveal the password as well. | |[mSQL] |msql.allow_persistent = On ; allow or prevent persistent link |msql.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |msql.max_links = -1 ; maximum number of |links (persistent+non persistent). -1 means no limit | |[PostgresSQL] |pgsql.allow_persistent = On ; allow or prevent persistent link |pgsql.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |pgsql.max_links = -1 ; maximum |number of links (persistent+non persistent). -1 means no limit | |[Sybase] |sybase.allow_persistent = On ; allow or prevent |persistent link |sybase.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |sybase.max_links = -1 ; maximum number of |links (persistent+non persistent). -1 means no limit |;sybase.interface_file = "/usr/sybase/interfaces" |sybase.min_error_severity = 10 ; minimum error |severity to display |sybase.min_message_severity = 10 ; minimum message |severity to display |sybase.compatability_mode = Off ; compatability mode with |old versions of PHP 3.0. | |; If on, this will cause PHP to automatically assign types to results | |; according to their Sybase type, instead of treating them all as | |; strings. This compatability mode will probably not stay around | |; forever, so try applying whatever necessary changes to your code, | |; and turn it off. | |[Sybase-CT] |sybct.allow_persistent = On ; allow or prevent |persistent link |sybct.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |sybct.max_links = -1 ; |maximum number of links (persistent+non persistent). -1 means no limit |sybct.min_server_severity = 10 ; minimum server |message severity to display |sybct.min_client_severity = 10 ; minimum client |message severity to display | |[bcmath] |bcmath.scale = 0 ; number of decimal digits for all |bcmath functions | |[browscap] |;browscap = extra/browscap.ini | |[Informix] |ifx.default_host = ; default host for |ifx_connect() (doesn't apply in safe mode) |ifx.default_user = ; default user for |ifx_connect() (doesn't apply in safe mode) |ifx.default_password = ; default password |for ifx_connect() (doesn't apply in safe mode) |ifx.allow_persistent = On ; allow or prevent |persistent link |ifx.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |ifx.max_links = -1 ; maximum number of |links (persistent+non persistent). -1 means no limit |ifx.textasvarchar = 0 ; if set on, select |statements return the contents of a text blob instead of it's id |ifx.byteasvarchar = 0 ; if set on, select |statements return the contents of a byte blob instead of it's id |ifx.charasvarchar = 0 ; trailing blanks |are stripped from fixed-length char columns. May help the life | ; of Informix SE users. |ifx.blobinfile = 0 ; if set on, the |contents of text&byte blobs are dumped to a file instead of | ; keeping them in memory |ifx.nullformat = 0 ; NULL's are |returned as empty strings, unless this is set to 1. In that case, | ; NULL's are |returned as string 'NULL'. | |[Session] |session.save_handler = files ; handler used to store/retrieve data |session.save_path = /tmp ; argument passed to save_handler | ; in the case of files, this is the | ; path where data files are stored |session.use_cookies = 1 ; whether to use cookies |session.name = PHPSESSID | ; name of the session | ; is used as cookie name |session.auto_start = 0 ; initialize session on request startup |session.cookie_lifetime = 0 ; lifetime in seconds of cookie | ; or if 0, until browser is restarted |session.cookie_path = / ; the path the cookie is valid for |session.cookie_domain = ; the domain the cookie is valid for |session.serialize_handler = php ; handler used to serialize data | ; php is the standard serializer of PHP |session.gc_probability = 1 ; percentual probability that the | ; 'garbage collection' process |is started | ; on every session initialization |session.gc_maxlifetime = 1440 ; after this number of seconds, stored | ; data will be seen as 'garbage' and | ; cleaned up by the gc process |session.referer_check = ; check HTTP Referer to invalidate | ; externally stored URLs containing ids |session.entropy_length = 0 ; how many bytes to read from the file |session.entropy_file = ; specified here to create the |session id |; session.entropy_length = 16 |; session.entropy_file = /dev/urandom |session.cache_limiter = nocache ; set to {nocache,private,public} to | ; determine HTTP caching aspects |session.cache_expire = 180 ; document expires after n minutes | |[MSSQL] |;extension=php_mssql.dll |mssql.allow_persistent = On ; allow or prevent |persistent link |mssql.max_persistent = -1 ; maximum number of |persistent links. -1 means no limit |mssql.max_links = -1 ; |maximum number of links (persistent+non persistent). -1 means no limit |mssql.min_error_severity = 10 ; minimum error |severity to display |mssql.min_message_severity = 10 ; minimum message |severity to display |mssql.compatability_mode = Off ; compatability mode with |old versions of PHP 3.0. | |[Assertion] |;assert.active = On ; |assert(expr); active by default |;assert.warning = On ; |issue a PHP warning for each failed assertion. |;assert.bail = Off ; don't |bail out by default. |;assert.callback = 0 ; |user-function to be called if an assertion fails. |;assert.quiet_eval = 0 ; eval the |expression with current error_reporting(). set to true if you want |error_reporting(0) around the eval(). | |[Ingres II] |ii.allow_persistent = On ; allow or |prevent persistent link |ii.max_persistent = -1 ; maximum |number of persistent links. (-1 means no limit) |ii.max_links = -1 ; maximum number of |links, including persistents (-1 means no limit) |ii.default_database = ; default |database (format : [node_id::]dbname[/srv_class] |ii.default_user = ; |default user |ii.default_password = ; default password | |[Verisign Payflow Pro] |pfpro.defaulthost = "test.signio.com" |; default Signio server |pfpro.defaultport = 443 ; default |port to connect to |pfpro.defaulttimeout = 30 ; default timeout in seconds | |; pfpro.proxyaddress = ; default proxy IP |address (if required) |; pfpro.proxyport = ; default proxy port |; pfpro.proxylogon = ; default |proxy logon |; pfpro.proxypassword = ; default proxy password | |; Local Variables: |; tab-width: 4 |; End: | | |--------------------------------------------------------------------------- | |The remainder of the comments for this report are too long. To |view the rest of the comments, please view the bug report online. | | |ATTENTION! Do NOT reply to this email! |To reply, use the web interface found at |http://bugs.php.net/?id=6919&edit=2 | -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]