PHP will convert all dots and spaces in variable names to underscores, and this is the standard PHP behaviour.
In the official manual, it says:
Note: Dots and spaces in variable names are converted to underscores. For example <input name="a.b" /> becomes $_REQUEST["a_b"].
Since this behaviour isn't that well-known to developers, it's obviously some developers will write some validating functions like:
if (strstr($_SERVER['QUERY_STRING'], '_')) {
die("'_' is not allowed!")
} else {
do_something();
}The developer may want to ensure that users cannot give any query key containing underscore, because variable names with underscore often refer to private or sensitive variables.
However, we know PHP will convert dots and spaces in variable names to underscores now, it's easy to bypass the limitation.