From: php at niksoggia dot it
Operating system: Linux
PHP version: 5.2.3
PHP Bug Type: *Web Server problem
Bug description: handling dots in http request variable names
Description:
------------
Some HTTP request variable names are modified in a unexpected way.
The HTML form may submit data using either get or post methods, retrieving
those values using $_GET $_POST $_REQUEST $HTTP_GET_VARS or $HTTP_POST_VARS
leads to the same and unpredictable result.
This does not happen to the $z check array, that behaves predictably.
To trigger this behaviour, the HTTP request variable name (that will
become the key of an associative array) must contain at least one dot
character (".", ASCII 0x2E).
My sample code demonstrates that "x.y" is renamed as "x_y" overwriting the
legitimate "x_y" value and leaving the "x.y" key unset.
If you delete the "x_y" input tag and resubmit the form, the result will
not change. If you restore the "x_y" input tag then delete the "x.y" input
tag and then resubmit the form, the result will be as expected.
Reproduce code:
---------------
<html><title>dot bug</title><body>
<form method="get" action="">
<tt>x_y: </tt><input type="text" name="x_y" value="1"><br>
<tt>x-y: </tt><input type="text" name="x-y" value="2"><br>
<tt>x.y: </tt><input type="text" name="x.y" value="3"><br>
<input type="submit">
</form><tt>
<?php
$z = array ('x_y' => 'x_y [', 'x-y' => 'x-y [', 'x.y' => 'x.y [');
echo ( $z['x_y'] . $_GET['x_y'] . '] [' . isset ($_GET['x_y']) .
"]<br>\n" .
$z['x-y'] . $_GET['x-y'] . '] [' . isset ($_GET['x-y']) .
"]<br>\n" .
$z['x.y'] . $_GET['x.y'] . '] [' . isset ($_GET['x.y']) .
"]<br>\n" .
'<hr>query string: ' . htmlspecialchars
($_SERVER['QUERY_STRING']));
?>
</tt></body></html>
Expected result:
----------------
x_y [1] [1]
x-y [2] [1]
x.y [3] [1]
Actual result:
--------------
x_y [3] [1]
x-y [2] [1]
x.y [] []
--
Edit bug report at http://bugs.php.net/?id=41821&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=41821&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=41821&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=41821&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=41821&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=41821&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=41821&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=41821&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=41821&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=41821&r=support
Expected behavior: http://bugs.php.net/fix.php?id=41821&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=41821&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=41821&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=41821&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41821&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=41821&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=41821&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=41821&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=41821&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=41821&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=41821&r=mysqlcfg
