In PHP it's possible to have arrays in $_GET, $_POST, $_COOKIE, $_FILES and $_REQUEST according to PHP documentation. The problem is that those come from user and I might get them instead of strings. For example, consider following snippet.
<?php
if (isset($_GET['hello'])) {
echo 'Hello, ', htmlspecialchars($_GET['hello']), '.';
}
else {
echo '<form action="?"><input name="hello"><input type="submit"></form>';
}
Looks OK? Well, as long you will not work will the URL it will work correctly. The problem is that hacker can try making $_GET['hello'] an array. If URL string looks like ?hello[]=something PHP will return error message
Warning: htmlspecialchars() expects parameter 1 to be string, array given in FILE on line 3
OK, who would enable in HTML errors in the production site (the other thing is error log...). But integers also are a problem - PHP is dynamically typed language, so it would accept easily code like '2' + 2. While yes, you can use (int) I have some old code which doesn't do that. If string comes from $_GET or $_POST it could be also array. Something like array('2') + 2 would cause fatal error of PHP.
Fatal error: Unsupported operand types in FILE on line 3
Now it's something that isn't acceptable because it would stop the script. I don't need arrays in those variables, but they annoy me. Is there any simple snippet which would remove arrays from those special variables. If I really would want an array, I could make copy of it before running the snippet.
