ID: 10519
Updated by: bbonev
Status: Open
Bug Type: Variables related
PHP Version: 4.0.4pl1
Assigned To: 

indeed i have missed one of the points - the fact that when passing data in the array 
form, all the values combine in a single array. further testing showed that the 
cookies also appear in HTTP_GET_VARS. i am sure that if there is a post to an url with 
a get var and some cookies (all varnames in array form) HTTP_*_ARRAY will contain all 
the values.

this issue is a serious concern about the --enable-track-vars code. it must be 
resolved by overwriting the whole arrays, not adding data to them in order to be 


get var: myarr[one]=1
post var: myarr[two]=2
cookie var: myarr[three]=3

gpc order is GPC

the global array $myarr has only the 'one' key

the HTTP_*_VARS have only the proper arrays

Previous Comments:

[2001-04-29 13:23:27] [EMAIL PROTECTED]
think about cookies the same way as GET data or POST data - they are at the same level 
and can be spoofed very easy with a cURL client for example. one can tell his client 
what cookie with what value to pass for a given request

the issue here is not security but programmers comfort. but when one uses the short 
representations of variables she must be aware of the GPC order setting.

i think this is the same like overriding a post variable with a get one.

do you think this bug shall be closed?


[2001-04-26 21:35:49] [EMAIL PROTECTED]


If you access this page with the command line arguement 


print_r will show cookie[three] in $HTTP_COOKIE_VARS.

Just a bit of incongrous material, but for some sites could cause problems if cookies 
are spoofed thusly.



ATTENTION! Do NOT reply to this email!
To reply, use the web interface found at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to