If you post a html form with inputs having names ending with [], php will automatically make these $_POST-values into an array.
For example, without brackets:
<input name="email" value="a" />
var_dump($_POST["email"])
//string 'a' (length=1)
With brackets:
<input name="email[]" value="a" />
<input name="email[]" value="b" />
var_dump($_POST["email"])
//array
// 0 => string 'a' (length=1)
// 1 => string 'b' (length=1)
My problem is that previously i didn't know about this so i've been coding my website with the assumption that $_POST-variables always are of type string. Naturally i perform standard input validation but only assuming that the variables already are strings.
So what if a hacker takes one of my normal inputs, like <input name="email" .../> and posts it with the brackets after. Then my code fetching $_POST["email"] would be an array!
I could imagine there are cases where this would be a security problem, for example startsWith-function could work on both strings and arrays. I haven't researched the full implications of it and i don't want to either, i just want to disable the function completely so i can trust all $_POST-variables to always be strings.
Is there any way to disable this function globally or is the only option to find-replace all and add a (string)-cast in front of every access of $_POST?
