2

I'm wondering if anyone can confirm the index (the ordinal position) of the $_GET/$_POST array elements reflects the original sequence the parameters were sent by the URL. In other words, if we look at the following URL containing the HTTP/GET:

http://www.example.com/test.php?a=123&b=453&c=xyz

can we give for sure that the variables are stored in the $_GET in the same order? I mean, is it sure that:

$_GET[0]=123, $_GET[1]=453, $_GET[2]='xyz' ?

Obviously I'm aware that : $_GET['a']=123, $_GET['b']=453, and so on... but I want that the parameters are sent giving the freedom to choose the parameter name that for me is not relevant, what is important in my application is the position (sequence) in the $_GET/$_POST. The same with adequate changes for $_POST array. Any official statement?

Power Engineering
  • 713
  • 14
  • 26
  • 3
    I doubt that is guaranteed. It certainly will be the case in most scenarios, since that array is populated one by one. But there may be additional steps involved in some situations which you have no knowledge about, for example proxies or mid layers. To me this sounds like a perfect example of an architecture that is less robust than easily possible. There is a reason why the list of arguments is associative and you simplywant to throw that advantage away. – arkascha Oct 06 '19 at 09:16
  • thank you for your very quick reply, arkascha. However I would like to highlight you that I haven't said that "I will throw away the advantage of having an associative array" I've just asked if there's an official statement regarding the sequence used to store the query string variables. I just asked that, I haven't said that I will build a service upon this "less robust architecture", so please don't blame me until I'm guilty for something. – Power Engineering Oct 08 '19 at 14:07
  • If you are interested about the reasons for my question, I was trying to understand if it's possible to retrieve the variables stored into the $_GET array leaving the application the freedom to use their variable name and using their ordinal position to detect their meaning. In example instead of writing a=1&b=2c=3 I was trying to understand if it was possible to use xyz=1&abc=2&wtf=3 so the values would be retrieved relying on their sequence instead of on their variable names. It would be a nice protection strategy if it was possible, but as far as I understood there's no certainty in that. – Power Engineering Oct 08 '19 at 14:07
  • Sorry, I did not intent to blame you for anything. Certainly I did not want to provoke any hard feelings. Please understand that in programming, especially in places like this, we tend to use an extremely direct, specific language. If someone suggests something then "you want to" does not mean that we think he is nuts and wants to do something we need to prevent. It just means something along the line "what you ask suggests that you are thinking of doing something which in my eyes would be...". I hope you understand the tone in this. I have no reason to be disrespectful. – arkascha Oct 08 '19 at 16:49
  • If someone asks if something is guaranteed, then I _assume_ that the reason for the question is that if it is, that fact should get used. Here it would mean to access the arguments by their positions instead of by their keys. That is what I responded to to make clear the difference between "it is possible" and "it is a good idea". Not more, not less. – arkascha Oct 08 '19 at 16:50
  • Your second comment then indeed suggests exactly what I _assumed_ ... and I can only repeat that this is a very bad idea. For the reason I named. I fail to see the problem you are trying to solve here, quite frankly. Sender and recipient have to agree on a convention to identify the arguments. Whether that is by position or by key is totally irrelevant. You should use the more robust approach which clearly are the keys. Nothing speaks against renaming the arguments inside an applications logic. Bit an interface has to rely on some assumptions, you cannot get around that in the end. – arkascha Oct 08 '19 at 16:52
  • I'll try to explain better: the main idea was di dscourage users to build their own GET using the address bar of the browser. If you see a URL like this: http://www.example.com/test.php?userid=3&function=1 then you understant that anyone could be attracetd to test something like http://www.example.com/test.php?userid=56&function=2 that could bring to a disaster... Hence one way to avoid that is to make the whole thing less understandable to reader i.e. http://www.example.com/test.php?x=3&y=1, then again http://www.example.com/test.php?k=3&z=1, hence relying just on the variables position... – Power Engineering Oct 09 '19 at 11:27
  • No. Also a bad idea. Again: please don't take that as an offence! It is a bad idea since you suggest to implement obfuscation to work around missing security. That is a bad idea. Instead you should fix security. Your service has to be robust so that such an attempt (which indeed will get performed) does not do any harm but will get rejected. Obfuscation raises a false sense of security and by this actually _lowers_ security, since the real issue will not get addressed. – arkascha Oct 09 '19 at 14:35

1 Answers1

1

I don't think there is an official statement of this but clearly $_GET is using $_SERVER['QUERY_STRING'] order (testing in multiple php versions)

Emre Rothzerg
  • 289
  • 1
  • 5
  • This may be correct (or not, a few tests do not prove anything, you are _assuming_ here). But still that says little, since that query string might not be unmodified from the requesting clients point of view. So be careful with assuming things. – arkascha Oct 08 '19 at 16:54