php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #28373 Backslashes no longer escaped in $_SERVER variables
Submitted: 2004-05-12 18:04 UTC Modified: 2005-01-26 04:55 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: phpbugreport at thedigitalnetwork dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5CVS-2004-05-12 (dev) OS: Windows XP SP1
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpbugreport at thedigitalnetwork dot com
New email:
PHP Version: OS:

 

 [2004-05-12 18:04 UTC] phpbugreport at thedigitalnetwork dot com 
Description:
------------
In PHP4.3.4, $_SERVER['HTTP_REFERER'], along with others like PATH, SystemRoot, COMSPEC and WINDIR, have any backslashes escaped.
 
In PHP5RC2 & the current DEV (php5-win32-200405121430.zip) version, the items in $_SERVER are not escaped anymore.

I could find no mention in the bug database or change logs, so I wondered if this was a change in the way Super Globals are handled, since $_SERVER is not part of "GPC"?

Relevent INI settings:
----------------------
register_globals=Off
register_argc_argv = Off

gpc_order = "GPC"
variables_order = "GPCS"

magic_quotes_gpc = On
magic_quotes_runtime = Off    
magic_quotes_sybase = Off
----------------------
Thanks for your assistance!

Reproduce code:
---------------
phpinfo();

Expected result:
----------------
Expect to see items in _SERVER with backslashes escaped:

[HTTP_REFERER] => http://localhost/Browse.php?Category=\\Language%20Arts\\Reading\\Letter%20TV&Level=4
[PATH] => C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\Program Files\\Common Files\\GTK\\2.0\\bin
[SystemRoot] => C:\\WINDOWS
[COMSPEC] => C:\\WINDOWS\\system32\\cmd.exe


Actual result:
--------------
Unescaped backslashes:

[HTTP_REFERER] => http://localhost/Browse.php?Category=\Language%20Arts\Reading\Letter%20TV&Level=4
[PATH] => C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\\TK\2.0\bin
[SystemRoot] => C:\WINDOWS
[COMSPEC] => C:\WINDOWS\system32\cmd.exe

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-26 04:55 UTC] sniper@php.net 
Bug was fixed. (phpinfo() output is not necessarily the "real" data, it's usually modified to _look_ good)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 13 12:01:31 2025 UTC