CoJaBo Posted August 8, 2007 Share Posted August 8, 2007 Is there any way to stop PHP from turning a query string like this: ?var[] into an array when it is read by $_GET['var']? I have quite a few input validations that are easily screwed up by this strange (and apparently undocumented???) feature... Quote Link to comment Share on other sites More sharing options...
btherl Posted August 8, 2007 Share Posted August 8, 2007 Agreed, it is difficult to find things like that in the documentation. You can test if the variables are arrays as part of your validation. Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted August 8, 2007 Share Posted August 8, 2007 you could loop over the array and turn each element into a var of its own... what exactly do you want to achieve? and whats wroing with just reading the $_GET['var'][] array. Quote Link to comment Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Problem is all the validation code I've written assumes you can only pass strings in the query string. Literally hours of searching revealed only a vague mention of this being possible. Is there any way to disable it, or do I have to do something like this to work around it: foreach($_GET as &$var){ $var=(string)$var; } Is this documented anywhere? And does this apply only to the query string or are there ways to pass arrays and other non-string variables through other means such as POST and cookies?? Quote Link to comment Share on other sites More sharing options...
lemmin Posted August 8, 2007 Share Posted August 8, 2007 I doubt you can disable it. I assume your GET url has something like this in it: ?var[]=something To access it, you can simply use var[0]. if this process is automated, you could do a quick is_array() check and use the [0] if it is and your normal function if it isn't. Quote Link to comment Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Seems POST and probably cookies are affected too. Is this 'feature' even documented? Quote Link to comment Share on other sites More sharing options...
drewbee Posted August 8, 2007 Share Posted August 8, 2007 First of all, you should never assume data is what it is suppose to be. This is security rule number 1, NO ASSUMING!!!!!! In your validation, simply check and make sure it is a string before doing any processing (or integer if the case). checkout these functions: intval() is_int() is_string() is_array() ctype_digit() ctype_alnum() Those should get you started! Quote Link to comment Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Yeah, I know that... Problem is I never knew it was possible to pass an array in the query string! I already verify if something is supposed to be an integer with ctype_digit(), but text strings were being passed to other functions that would validate them or escape dangerous characters. Turns out if most of them (including preg_match(), htmlspecialchars() and mysql_real_escape_string()) get an array they fail with an warning! I can't even find this in the official documentation. Is it buried somewhere? Can anyone else find it? Quote Link to comment Share on other sites More sharing options...
btherl Posted August 10, 2007 Share Posted August 10, 2007 Documentation is here Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.