Open mhalachev opened 1 month ago
I found a similar issue reported back in 2009, under Bug #49184. Although that report pertains to a slightly different scenario, it resembles the unexpected behaviour when using PHP-FPM. Notably, it is reproducible in PHP 8.3.10 (PHP-FPM with nginx).
Description
Summary: When using PHP-FPM, accessing the
$_ENV
superglobal withfilter_var()
or directly can cause the$_SERVER
superglobal to lose its values, specificallyREMOTE_ADDR
, which unexpectedly becomesnull
. Notably, this occurs even if the code accessing$_ENV
is placed after anexit
, which should prevent it from executing. This behavior does not occur when using PHP with other SAPIs, such as Apache’smod_php
.Steps to Reproduce:
$remoteAddr = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP);
if ($remoteAddr === null) { echo 'REMOTE_ADDR is not set'; } elseif ($remoteAddr === false) { echo 'Invalid IP address'; } else { echo "IP Address: $remoteAddr"; }
exit;
// Accessing $_ENV with filter_var, which should not execute due to the exit above $appEnv = filter_var($_ENV['APP_ENV'], FILTER_SANITIZE_SPECIAL_CHARS);
$_ENV
, the issue does not occur, and$_SERVER['REMOTE_ADDR']
is correctly set, even though this line should not execute due to the preceding exit.Question: Is this behavior expected when using PHP-FPM, or is it a quirk that should be addressed? The fact that this occurs even with the exit command in place suggests there might be an underlying issue in how PHP-FPM manages superglobals. If it’s expected, could it be documented more clearly to avoid confusion for developers relying on superglobals like
$_SERVER
and$_ENV
?PHP Version
PHP 8.3.10, observed down to PHP 5.6.40
Operating System
No response