Jump to content

Disable passing arrays in query string?

CoJaBo

By CoJaBo
in PHP Coding Help

 Share

Recommended Posts

CoJaBo Newbie

CoJaBo

Posted
  • Author
Posted

Problem is all the validation code I've written assumes you can only pass strings in the query string.

Literally hours of searching revealed only a vague mention of this being possible.

Is there any way to disable it, or do I have to do something like this to work around it:

foreach($_GET as &$var){
$var=(string)$var;
}

Is this documented anywhere?

And does this apply only to the query string or are there ways to pass arrays and other non-string variables through other means such as POST and cookies??

lemmin Member

lemmin

Posted
Posted

I doubt you can disable it.

 

I assume your GET url has something like this in it: ?var[]=something

To access it, you can simply use var[0].

if this process is automated, you could do a quick is_array() check and use the [0] if it is and your normal function if it isn't.

drewbee Member

drewbee

Posted
Posted

First of all, you should never assume data is what it is suppose to be.

 

This is security rule number 1, NO ASSUMING!!!!!!

 

In your validation, simply check and make sure it is a string before doing any processing (or integer if the case).

 

 

checkout these functions:

 

intval()

is_int()

is_string()

is_array()

 

ctype_digit()

ctype_alnum()

 

Those should get you started! :)

CoJaBo Newbie

CoJaBo

Posted
  • Author
Posted

Yeah, I know that...

Problem is I never knew it was possible to pass an array in the query string! :o

I already verify if something is supposed to be an integer with ctype_digit(), but text strings were being passed to other functions that would validate them or escape dangerous characters.

Turns out if most of them (including preg_match(), htmlspecialchars() and mysql_real_escape_string()) get an array they fail with an warning!

 

 

I can't even find this in the official documentation. Is it buried somewhere? Can anyone else find it?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.