#28753 [NEW]: adding [] to the querystring often produce error

Sat, 12 Jun 2004 02:52:22 -0700 

From:             ppmm at wuxinan dot net
Operating system: All
PHP version:      4.3.7
PHP Bug Type:     Arrays related
Bug description:  adding [] to the querystring often produce error

Description:
------------
Have a look at the following URL, for example:
http://us2.php.net/source.php?url[]=/manual/en/installation.php

I think it's a very classical problem in PHP. $_GET["url"] becomes an
array in PHP script. This is a good thing, but the side-effect is that
when $_GET["url"] is not expected to be an array, script would often
produce an error, the message of which often includes the filesystem path
of the PHP file on the server. Surf whatever PHP-based website and try
this trick, it would often produce a great error message for hackers.

Sure, webmaster could, however, prevent this kind of error from happening
by some simple error checking. However, I mean, in the future release of
PHP, is there any way we can do things better? Or somehow we need to
educate webmaster about this (possibly security-related) issue.


-- 
Edit bug report at http://bugs.php.net/?id=28753&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=28753&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=28753&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=28753&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=28753&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=28753&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=28753&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=28753&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=28753&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=28753&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=28753&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=28753&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=28753&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28753&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=28753&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=28753&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=28753&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28753&r=float

Reply via email to