Example, You can get warning if you fake name field in login form.
This applies to a lot of Drupal form and can potentially cause security problems.
The most common errors messages:
- Warning: htmlspecialchars() expects parameter 1 to be string, array given in check_plain() (line 1348 of .../includes/bootstrap.inc).
- Warning: trim() expects parameter 1 to be string, array given in comment_submit() (line 2159 of .../modules/comment/comment.module).
- Warning: mb_strlen() expects parameter 1 to be string, array given in drupal_strlen() (line 441 of .../includes/unicode.inc).
- Warning: Invalid argument supplied for foreach() in drupal_explode_tags() (line 7083 of .../includes/common.inc).
- Warning: array_unique() expects parameter 1 to be array, null given in drupal_explode_tags() (line 7080 of .../includes/common.inc).
- Warning: preg_match_all() expects parameter 2 to be string, array given in drupal_explode_tags() (line 7079 of .../includes/common.inc).
- Warning: strpos() expects parameter 1 to be string, array given in user_validate_name() (line 626 of .../modules/user/user.module).
- Warning: substr() expects parameter 1 to be string, array given in user_validate_name() (line 623 of .../modules/user/user.module).
- Warning: addcslashes() expects parameter 1 to be string, array given in DatabaseConnection->escapeLike() (line 965 of .../includes/database\database.inc).
There is related issue #1242472: Invalid type of $_GET variables causes PHP warnings and notices when treated as strings
Comments
Comment #1
Dave ReidThis issue should be solved exactly like the $_GET issue:
Comment #2
Chi CreditAttribution: Chi commentedSo we are waiting for a security issue.
Comment #3
xjmI don't think there is any reason to anticipate a security issue.
Comment #4
Chi CreditAttribution: Chi commentedIt's time to rethink this as the security issue has come.
Comment #11
catchThis is being resolved in #3162016: [Symfony 6] Retrieving a non-string value from "Symfony\Component\HttpFoundation\InputBag::get()" is deprecated, marking duplicate.