PHP :: Doc Bug #40586 :: _ENV vars get espcaped when magic_quotes

Doc Bug #40586	_ENV vars get espcaped when magic_quotes_gpc is on
Submitted:	2007-02-21 20:30 UTC	Modified:	2007-08-17 11:03 UTC
From:	gk at gknw dot de	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	4.4.x	OS:	at least NetWare, Win32
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2007-02-21 20:30 UTC] gk at gknw dot de

Description:
------------
With PHP 4.3.x and 4.4.x the _ENV superglobals get escaped if they contain backslahes and magic_quotes_gpc is on.
This does happen with the Apache SAPI as well as with the CLI on commandline. When I getenv() same environment vars this doesnt happen.
Also compared to PHP 5.2.x where this doesnt happen - regardless of the magic_quotes_gpc setting.
I digged through the docu but couldnt find anything about this 'feature' mentioned with 4.x, nor the difference that it was dropped with 5.x.


Expected result:
----------------
I think this 'feature' should be mentioned in the docu, and the difference between 4.x and 5.x behaviour, also because with 4.x magic_quotes_gpc is on by default.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-03-23 15:56 UTC] vrana@php.net

This behavior is wrong. _gpc stands for GET, POST, COOKIE.

[2007-03-26 10:33 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2007-03-26 11:06 UTC] derick@php.net

I think we should document this instead, as changing it might cause security problems for people.

[2007-03-30 16:00 UTC] gk at gknw dot de

I doubt that the fix might turn into a security problem because its related to the system's _ENV vars, and not to something coming from outside - if we cant even trust the system's env vars then there's something wrong with the whole system's setup.
Also everyone who now expect this behavior in his code build upon an undocumented feature.

greets, G?nter.

[2007-08-17 11:03 UTC] vrana@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"In PHP 4, also Environment variables: $_ENV  variables are escaped."

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 22:01:28 2024 UTC