ID: 28753 Updated by: [EMAIL PROTECTED] Reported By: ppmm at wuxinan dot net -Status: Open +Status: Wont fix Bug Type: Arrays related Operating System: All PHP Version: 4.3.7 New Comment:
This is up to the programmers, not to us to fix. Previous Comments: ------------------------------------------------------------------------ [2004-06-12 11:52:14] ppmm at wuxinan dot net Description: ------------ Have a look at the following URL, for example: http://us2.php.net/source.php?url[]=/manual/en/installation.php I think it's a very classical problem in PHP. $_GET["url"] becomes an array in PHP script. This is a good thing, but the side-effect is that when $_GET["url"] is not expected to be an array, script would often produce an error, the message of which often includes the filesystem path of the PHP file on the server. Surf whatever PHP-based website and try this trick, it would often produce a great error message for hackers. Sure, webmaster could, however, prevent this kind of error from happening by some simple error checking. However, I mean, in the future release of PHP, is there any way we can do things better? Or somehow we need to educate webmaster about this (possibly security-related) issue. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28753&edit=1
