I was under the impression that what ever is inserted into a <input type="text" name="something"> would be recieved as a string in PHP with $_POST['something'].
But now im running a tools to test my website and somehow $_POST['something'] can be an array.
How is that possible ?
If in your form you have inputs like <input name="something[]" ... /> you can have many of them or <select name="something[]" multiple ... />, etc.
$_POST['something'] would be an array.
It's common 'hack'. You should always verify that variables you get are in format you expect. Example with $_GET:
http://127.0.0.1/hack_test.php?a[]=3&a[]=5?a[]=3&a[]=5
Example with $_GET and 'keys' of array:
http://127.0.0.1/hack_test.php?a[3]=3&a[hack_name]=5
If you put:
<?php
var_dump($_GET);
In hack_test.php it will show:
array(1) {
["a"]=>
array(2) {
[0]=>
string(1) "3"
[1]=>
string(1) "5"
}
}
Variable $_GET['a'] is array with 2 elements!
It's like that in PHP, because website forms sometimes require that feature. Example:
<form ..>
<input type="checkbox" name="multicheckbox[]" value="chicken" />
<input type="checkbox" name="multicheckbox[]" value="apple" />
<input type="checkbox" name="multicheckbox[]" value="sugar" />
</form>
I called it 'hack', because:
If you use other PHP feature 'string is array of bytes' then someone can send you modified data to script, ex. $x = "abc"; $a = $x[0]; echo $a; -> 'a'
If you put data from input [form] in SQL query without verification, hacker can use it to make 'invalid query format' and in some cases, it let him get some information from database!