If you post a html form with inputs having names ending with [], php will automatically make these $_POST-values into an array.
For example, without brackets:
<input name="email" value="a" />
var_dump($_POST["email"])
//string 'a' (length=1)
With brackets:
<input name="email[]" value="a" />
<input name="email[]" value="b" />
var_dump($_POST["email"])
//array
// 0 => string 'a' (length=1)
// 1 => string 'b' (length=1)
My problem is that previously i didn’t know about this so i’ve been coding my website with the assumption that $_POST-variables always are of type string. Naturally i perform standard input validation but only assuming that the variables already are strings.
So what if a hacker takes one of my normal inputs, like <input name="email" .../> and posts it with the brackets after. Then my code fetching $_POST[“email”] would be an array!
I could imagine there are cases where this would be a security problem, for example startsWith-function could work on both strings and arrays. I haven’t researched the full implications of it and i don’t want to either, i just want to disable the function completely so i can trust all $_POST-variables to always be strings.
Is there any way to disable this function globally or is the only option to find-replace all and add a (string)-cast in front of every access of $_POST?
You could just loop through the POST array, and fix them this way.
But, since you said you don’t ever plan to need this, why not just loop through the _POST array, check if anything is a non-string, and then just throw an exception? No need to give the hypothetical hacker a nice fallback or workaround 🙂
I find the best way to deal with such issues is to be strict, and throw exceptions for cases where a client (browser/evil guy) is clearly messing around with stuff 😉