CoJaBo Posted August 8, 2007 Share Posted August 8, 2007 Is there any way to stop PHP from turning a query string like this: ?var[] into an array when it is read by $_GET['var']? I have quite a few input validations that are easily screwed up by this strange (and apparently undocumented???) feature... Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/ Share on other sites More sharing options...
btherl Posted August 8, 2007 Share Posted August 8, 2007 Agreed, it is difficult to find things like that in the documentation. You can test if the variables are arrays as part of your validation. Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318249 Share on other sites More sharing options...
ToonMariner Posted August 8, 2007 Share Posted August 8, 2007 you could loop over the array and turn each element into a var of its own... what exactly do you want to achieve? and whats wroing with just reading the $_GET['var'][] array. Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318267 Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Problem is all the validation code I've written assumes you can only pass strings in the query string. Literally hours of searching revealed only a vague mention of this being possible. Is there any way to disable it, or do I have to do something like this to work around it: foreach($_GET as &$var){ $var=(string)$var; } Is this documented anywhere? And does this apply only to the query string or are there ways to pass arrays and other non-string variables through other means such as POST and cookies?? Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318674 Share on other sites More sharing options...
lemmin Posted August 8, 2007 Share Posted August 8, 2007 I doubt you can disable it. I assume your GET url has something like this in it: ?var[]=something To access it, you can simply use var[0]. if this process is automated, you could do a quick is_array() check and use the [0] if it is and your normal function if it isn't. Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318683 Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Seems POST and probably cookies are affected too. Is this 'feature' even documented? Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318710 Share on other sites More sharing options...
drewbee Posted August 8, 2007 Share Posted August 8, 2007 First of all, you should never assume data is what it is suppose to be. This is security rule number 1, NO ASSUMING!!!!!! In your validation, simply check and make sure it is a string before doing any processing (or integer if the case). checkout these functions: intval() is_int() is_string() is_array() ctype_digit() ctype_alnum() Those should get you started! Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318729 Share on other sites More sharing options...
CoJaBo Posted August 8, 2007 Author Share Posted August 8, 2007 Yeah, I know that... Problem is I never knew it was possible to pass an array in the query string! I already verify if something is supposed to be an integer with ctype_digit(), but text strings were being passed to other functions that would validate them or escape dangerous characters. Turns out if most of them (including preg_match(), htmlspecialchars() and mysql_real_escape_string()) get an array they fail with an warning! I can't even find this in the official documentation. Is it buried somewhere? Can anyone else find it? Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-318747 Share on other sites More sharing options...
btherl Posted August 10, 2007 Share Posted August 10, 2007 Documentation is here Link to comment https://forums.phpfreaks.com/topic/63849-disable-passing-arrays-in-query-string/#findComment-319991 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.