ID: 28753 User updated by: ppmm at wuxinan dot net Reported By: ppmm at wuxinan dot net Status: Wont fix Bug Type: Arrays related Operating System: All PHP Version: 4.3.7 New Comment:
true. But might be useful if we can turn off this feature via php.ini Previous Comments: ------------------------------------------------------------------------ [2004-06-12 12:19:53] [EMAIL PROTECTED] This is up to the programmers, not to us to fix. ------------------------------------------------------------------------ [2004-06-12 11:52:14] ppmm at wuxinan dot net Description: ------------ Have a look at the following URL, for example: http://us2.php.net/source.php?url[]=/manual/en/installation.php I think it's a very classical problem in PHP. $_GET["url"] becomes an array in PHP script. This is a good thing, but the side-effect is that when $_GET["url"] is not expected to be an array, script would often produce an error, the message of which often includes the filesystem path of the PHP file on the server. Surf whatever PHP-based website and try this trick, it would often produce a great error message for hackers. Sure, webmaster could, however, prevent this kind of error from happening by some simple error checking. However, I mean, in the future release of PHP, is there any way we can do things better? Or somehow we need to educate webmaster about this (possibly security-related) issue. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28753&edit=1