Description:
------------
magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST
variables. It worked with the same configuration under 5.2.6.

I have magic_quotes_gpc set in php.ini.

Reproduce code:
---------------
URL: ?q='

<?php
var_dump(PHP_VERSION);
var_dump(get_magic_quotes_gpc());
var_dump($_GET["q"]);

Expected result:
----------------
string(5) "5.2.7"
int(1)
string(2) "\'"

Actual result:
--------------
string(5) "5.2.7"
int(1)
string(2) "'"

This causes downstream MediaWiki bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=16570

Data corruption and failure to properly submit edits when
magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so
input doesn't get munged by stripslashes().)

Presumably causes similar breakage in every other web app that attempts
to correct for magic_quotes_gpc.

We haven't yet had a chance to addslashes() our input in preparation for

PHP 6.

So as it stands, this bug -- which we're also seeing with 5.2.7 -- 
currently means giant scary security holes in our scripts as we were 
relying on magic_quotes_gpc to make things "safe".

Not great...

Fix for bug #42718 seems at the origin of this bug.

If the fix is reverted, magic_quotes_gpc works again as expected.

After checking bug #42718 and filter extension's documentation, I
believe enabling a filter *should not* disable magic_quotes_gpc (nothing
is written in the documentation about this).

This patch allows application of magic_quotes_gpc *after* filters
execution *if* enabled.

http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

I've backed out the fix for bug #42718

A quick workaround for 5.2.7 users is to add the following in the
php.ini:

filter.default_flags=0