ID: 8449 Updated by: sniper Reported By: [EMAIL PROTECTED] Old Status: Analyzed Status: Critical Bug Type: Arrays related Operating System: linux Old PHP Version: 4.0.4 PHP Version: 4.1.0RC1 New Comment:
Reproduced also with PHP 4.1.0RC1 Here is the complete script for all the lazy developers to try with: form.php: --------- <form action="form.php?person[age]=12" method=post> <input type=text size=32 name=person[sname] </form> <br> <?php echo "HTTP_POST_VARS<br>"; print_r($HTTP_POST_VARS); echo "<p>"; echo "HTTP_GET_VARS<br>"; print_r($HTTP_GET_VARS); echo "<p>"; echo "_POST<br>"; print_r($_POST); echo "<p>"; echo "_GET<br>"; print_r($_GET) ?> Previous Comments: ------------------------------------------------------------------------ [2001-08-19 03:01:43] [EMAIL PROTECTED] Oops. I had register_globals=off in my php.ini. Then this works as expected. But when it is On, not. --Jani ------------------------------------------------------------------------ [2001-08-19 02:57:36] [EMAIL PROTECTED] This is fixed at least in PHP 4.0.6. Maybe even earlier. --Jani ------------------------------------------------------------------------ [2000-12-28 02:49:06] [EMAIL PROTECTED] I was trying to make the example as short as possible so it looks stupid but it clearly demonstrates the problem. Two short examples o *correct* behaviour first: Example 1: <form action="bug.php?age=12" method=post> <input type=text size=32 name=sname> </form> the form sets age using url path and sname using post. I could use cookies for age but the example longer. The idea is to simultaniously use several different methods to pass the variables. Nothing unusual here. tarck_vars and register_globals are both on so in bug.php I have access to $HTTP_GET_VARS[age],$HTTP_POST_VARS[sname] and to $age, $sname. I have no $HTTP_GET_VARS[sname] and $HTTP_POST_VARS[age] and I should not to. So far so good. Example 2: let's try the following: <form action="bug.php?sname=Pupkin" method=post> <input type=text size=32 name=sname value='Collins'> </form> I use the same variable name in both requests. Now I have $HTTP_GET_VARS[sname] == 'Pupkin' and $HTTP_POST_VARS[sname]='Collins' and that is also correct and that is how can I check what method was used to pass the variable (the global $sname value depends on variables_order ofcourse) Example 3: the bug but let's put the variables into array: <form action="bug?person[age]=12" method=post> <input type=text size=32 name=person[sname] </form> Now I expect to have $person[age],$person[$sname] in my global space and $HTTP_POST_VARS[person][sname], $HTTP_GET_VARS[person][age]... right? The bug is that I also have both $HTTP_POST_VARS[person][age] and $HTTP_GET_VARS[person][sname] defined... Do you see the problem? person[age] has somehow propagated into $HTTP_POST_VARS while I had no person[age] in my post request... Now I have no way to find how was that variable passed to my script... If I have an person[id] defined in the cookie then I suddenly have also person[age] and person[sname] defined in HTTP_COOKIE_VARS and pesron[id] defined in both POST_VARS and GET_VARS! looks like a bug for me. Comments? oleg ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=8449&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
