Array value from a forum input element

Question

I was under the impression that what ever is inserted into a <input type="text" name="something"> would be recieved as a string in PHP with $_POST['something'].

But now im running a tools to test my website and somehow $_POST['something'] can be an array.

How is that possible ?

Show your code and explain more specifically how it is not doing what you want. — Mike Brant, Jan 30 '15 at 21:33

Weltschmerz · Answer 1 · 2015-01-30T21:39:20.847

2

If in your form you have inputs like <input name="something[]" ... /> you can have many of them or <select name="something[]" multiple ... />, etc.

$_POST['something'] would be an array.

edited Jan 30 '15 at 21:39

answered Jan 30 '15 at 21:34

Weltschmerz

2,166
1
15
18

JerzySkalski · Answer 2 · 2015-01-30T21:50:29.957

It's common 'hack'. You should always verify that variables you get are in format you expect. Example with $_GET:

http://127.0.0.1/hack_test.php?a[]=3&a[]=5?a[]=3&a[]=5

Example with $_GET and 'keys' of array:

http://127.0.0.1/hack_test.php?a[3]=3&a[hack_name]=5

If you put:

<?php
var_dump($_GET);

In hack_test.php it will show:

array(1) {
  ["a"]=>
  array(2) {
    [0]=>
    string(1) "3"
    [1]=>
    string(1) "5"
  }
}

Variable $_GET['a'] is array with 2 elements!

It's like that in PHP, because website forms sometimes require that feature. Example:

<form ..>
<input type="checkbox" name="multicheckbox[]" value="chicken" />
<input type="checkbox" name="multicheckbox[]" value="apple" />
<input type="checkbox" name="multicheckbox[]" value="sugar" />
</form>

I called it 'hack', because:

If you use other PHP feature 'string is array of bytes' then someone can send you modified data to script, ex. $x = "abc"; $a = $x[0]; echo $a; -> 'a'
If you put data from input [form] in SQL query without verification, hacker can use it to make 'invalid query format' and in some cases, it let him get some information from database!

Is this array stuff with [] something special between HTML and PHP or does it exist in HTML standard and have nothing to do with PHP ? — scootergrisen, Jan 30 '15 at 22:19
I could not find it in any documentation of HTML, found only information that it's invalid attribute format in XHTML: http://stackoverflow.com/a/15571743/4513021 but XHTML validator accepts '[]' in 'name'. It's only described in PHP doc: http://php.net/manual/en/faq.html.php#faq.html.arrays It works on server side (change few strings with same name to array). If you use as name 'a' for few form elements PHP will make it string with value of last sent element. If you use as name 'a[]' for few form elements PHP will make it array with values indexed by number of key you set for them. — JerzySkalski, Feb 01 '15 at 11:31

Array value from a forum input element

2 Answers2