Menu
▾
▴
Re: [chiPHPug-discuss] PHP form name transliteration question
|
From: Sarah G. <sa...@fa...> - 2007-01-26 16:07:03
|
Thanks everyone. I hadn't known that about the transliteration and it makes perfect sense it's for register_globals. The site in question had been written 4-5 years ago and lived on a server where register_globals was on by default, so not surprising the issue existed and *definitely* not surprising that we noticed the problem when we moved servers. Field names were auto-generated to encode information, and some had dots in them. Anyway, noted and changed. Thanks. Richard Lynch wrote: > On Wed, January 24, 2007 2:08 pm, Sarah Gray wrote: > >> Does anyone know why it is that a form element named using dots is >> transliterated to a form element named using underscores when it is >> posted using PHP [4.4.4 and 4.3.2, at least]? It's as if php runs a >> pre-filter preg_replace on the names of input fields before outputting >> them to the $_POST array. >> Is this for a security reason? Are these illegal naming conventions >> for >> form names in general? Here's my example: >> >> I'd never encountered this before, but a simple test shows that >> >> <form action="#" method="post"> >> <input type="hidden" name="name.with.dots"> >> <input type="submit"> >> </form> >> >> turns into the below (when displayed using print_r) in the $_POST >> array: >> >> Array >> ( >> [name_with_dots] => >> ) >> > > Back in the good ol' days, when you didn't have a zillion spammers and > hackers sending in crap data to a web form, you'd just be using > $name_with_dots from register_globals. > > Since PHP variable names did not allow '.' in them, the dots had to > turn into something else, and _ was chosen. > > As a result of this history, the $_POST (and $_GET) keys also are > changed to match this. > > This is even more apparent if you use INPUT TYPE="IMAGE" NAME="foo" > where you get foo_x and foo_y instead of foo.x and foo.y, which are > HTTP spec, so you can't do anything about that conversion. At least > when one is choosing the names, one can just opt not to use '.' > [shrug] > > |
