Joomla error: 'Illegal variable _files or _env or _get or _post or _cookie or _server or _session or globals passed to script'

Question

I am getting this error in Joomla:

Illegal variable `_files` or `_env` or `_get` or `_post` or `_cookie`
or `_server` or `_session` or `globals` passed to script         


        

Answer 1

You'll see this error if you try to specify a URL parameter whose name consists solely of digits, e.g.

http://www.example.com/?1234567=test

or if you try to use a joomla-reserved variable, e.g.

http://www.example.com/?_files=test

It's not a great error message. If you have access to a unix terminal, you can debug these kind of problems with some command-line tools, e.g.

$ find /var/www/html -exec grep -l 'Illegal variable' {} \;
/var/www/html/libraries/joomla/environment/request.php

This is a fictional joomla installation, assuming a fairly standard DocumentRoot. The result immediately confirms this is a Joomla error, and reports which file caused it. Extract from that file:

static $banned = array( '_files', '_env', '_get', '_post', '_cookie', '_server', '_session', 'globals' );

foreach ($array as $key => $value)
{   
    // PHP GLOBALS injection bug 
    $failed = in_array( strtolower( $key ), $banned );

    // PHP Zend_Hash_Del_Key_Or_Index bug 
    $failed |= is_numeric( $key );

    if ($failed) {
        jexit( 'Illegal variable ' . implode( ' or ', $banned ) . ' passed to script.' );
    }
    ...
}

Note that the error message is particularly misleading because, not only is in thrown in the case of a reserved variable name, but also if the parameter name is numeric.