PHP Warning: Array to string conversion

Question

I have this code in my file:

if (is_array($_REQUEST))
   $cepl=implode(' ', $_REQUEST);

every couple of days I get this warning in php log: PHP Warning: Array to string conversion in /file.php on line 76

line 76 is: $cepl=implode(' ', $_REQUEST);

I can't find out what is causing this warning?!

Answer 1

The definition of the implode function is very roughly equivalent to this (this is just an illustration, not tested code):

function not_really_implode($glue, $pieces) {
   $result = '';
   $first = true;
   foreach ( $pieces as $piece ) {
      if ( ! $first ) {
          $result .= $glue;
      }
      $pieceAsString = (string)$piece;
      $result .= $pieceAsString;
      $first = false;
   }
   return $result;
}

The key point is the line $pieceAsString = (string)$piece; - in order to combine the elements of the array, implode has to convert each of them in turn to strings.

Now consider what happens if $pieces looks like this:

$pieces = [
   'one',
   ['two-a', 'two-b'],
   'three',
];

At some point in our loop, we're going to have $piece = ['two-a', 'two-b'], and try to convert it to a string - whoops!

So, the warning comes about because inside your $_REQUEST array, there are other arrays. There's a couple of ways this can happen:

1. $_REQUEST can be written to directly. For instance, someone can write $_REQUEST['example'] = ['a', 'b'];
2. PHP recognises certain notations in input to mean arrays. For instance, someone can visit the url /your-page.php?example[]=a&example[]=b and $_REQUEST will automatically be populated with ['a', 'b'].

This leads to a very important reminder: Never trust user input! Making any assumptions about what's in $_REQUEST is very dangerous, because that input is under the user's control, and the user might not be your friend.