Edit report at http://bugs.php.net/bug.php?id=53564&edit=1
ID: 53564 Updated by: [email protected] Reported by: chris at bjelleklang dot org Summary: Long get requests fails -Status: Open +Status: Bogus Type: Bug Package: Variables related Operating System: Linux; Ubuntu 10.04, krnl 2.6.32 PHP Version: 5.3.4 Block user comment: N Private report: N New Comment: Almost certainly due to suhosin; see suhosin.get.max_value_length Previous Comments: ------------------------------------------------------------------------ [2010-12-17 14:25:28] chris at bjelleklang dot org Description: ------------ I'm doing an integration against BBS, one of the bigger (if not biggest) online payment systems in Norway. After validating a credit card on an external site, BBS sends the user back to my site in a GET request, along with a long hash (around 850 characters), for a total URL-length of 860 characters. For some reason, I can't get access to the GET variable, unless I trim the length of the parameter down to 512 characters. 513 fails. Using two parameters of 512 chars each works fine, two parameters where the first is >512 chars fails on both, if the last one is >512 the first works fine. If I print_r the $_SERVER variable, the querystring contains the full parameter even though $_GET is empty. Access logs always contain the correct request, and when GET is empty, an error of type undefined index is triggered as expected. HTTP doesn't specify any limits on GET-requests, major browsers support from 2000 characters and upwards (including MS Internet Explorer), and the (unchanged) default in Apache is around 8000 characters. If Apache was the problem, a http-413-error would have been triggered indicating a too long request. I'm currently using php 5.3.2, along with Apache 2.2.14, and also tested php 5.3.3/Apache 2.2.16. This works fine on another server we are running using php 5.2.4 and apache 2.2.8. If you need more information, or want me to do more tests, I'm available on e-mail: [email protected] and IRC: bjelleklang, mostly on Freenode.net. I've put an example script with the source code below at http://pluto.bjelleklang.org/index.php?p=&p2=. Just add values to the two parameters. This server is running PHP 5.3.3 regards, Chris Test script: --------------- <?php $d = $_GET['p']; $d2 = $_GET['p2']; echo "Length: " . strlen($d) . '<br>'; echo "Length: " . strlen($d2) . '<br>'; print_r($GLOBALS); print_r( $_SERVER); print_r($_GET); print_r($_SESSION); print_r($_REQUEST); print_r($_ENV); ?> Expected result: ---------------- I'd expect to see the actual length of the GET parameters, as well as entries in the various superglobals. Actual result: -------------- Nothing in the superglobals, GET parameters treated by PHP as if they aren't set, thus producing undefined index notices. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=53564&edit=1
