php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #46759 magic_quotes_gpc doesn't work
Submitted: 2008-12-05 11:52 UTC Modified: 2008-12-06 17:54 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:1 (25.0%)
From: vrana@php.net Assigned:
Status: Closed Package: Variables related
PHP Version: 5.2.7 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2008-12-05 11:52 UTC] vrana@php.net 
Description:
------------
magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST variables. It worked with the same configuration under 5.2.6.

I have magic_quotes_gpc set in php.ini.

Reproduce code:
---------------
URL: ?q='

<?php
var_dump(PHP_VERSION);
var_dump(get_magic_quotes_gpc());
var_dump($_GET["q"]);


Expected result:
----------------
string(5) "5.2.7"
int(1)
string(2) "\'"


Actual result:
--------------
string(5) "5.2.7"
int(1)
string(2) "'"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-06 01:28 UTC] brion at pobox dot com 
This causes downstream MediaWiki bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=16570

Data corruption and failure to properly submit edits when magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so input doesn't get munged by stripslashes().)

Presumably causes similar breakage in every other web app that attempts to correct for magic_quotes_gpc.
 [2008-12-06 10:03 UTC] cabel at panic dot com 
We haven't yet had a chance to addslashes() our input in preparation for 
PHP 6.

So as it stands, this bug -- which we're also seeing with 5.2.7 -- 
currently means giant scary security holes in our scripts as we were 
relying on magic_quotes_gpc to make things "safe".

Not great...
 [2008-12-06 16:20 UTC] magicaltux@php.net 
Fix for bug #42718 seems at the origin of this bug.

If the fix is reverted, magic_quotes_gpc works again as expected.
 [2008-12-06 17:08 UTC] magicaltux@php.net 
After checking bug #42718 and filter extension's documentation, I believe enabling a filter *should not* disable magic_quotes_gpc (nothing is written in the documentation about this).

This patch allows application of magic_quotes_gpc *after* filters execution *if* enabled.

http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch
 [2008-12-06 17:26 UTC] scottmac@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

I've backed out the fix for bug #42718
 [2008-12-06 17:54 UTC] lbarnaud@php.net 
A quick workaround for 5.2.7 users is to add the following in the php.ini:

filter.default_flags=0
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 16 17:01:29 2025 UTC