php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #16480 strings should remember whether they are magic_quoted, htmlized or neither
Submitted: 2002-04-07 19:09 UTC Modified: 2010-04-06 19:33 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: vdhome at idas dot cz Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.3.0 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
11 + 35 = ?
Subscribe to this entry?

 
 [2002-04-07 19:09 UTC] vdhome at idas dot cz
Idea: any string should "know" whether AddSlashes (or magic quotes) or HtmlSpecialChars or neither has been applied to it. Then you could have functions declare what kind of string they expect as parameters and what kind of string they return, and PHP would automatically do the conversion. When writing string literals, one could indicate the type by prepending a letter: q"..." for magic-quoted (or s"..." for added slashes, which is the same), and h"..." for HTMLized string. When including variables in a string literal, PHP would convert them, if necessary, to the same string type as the literal. Then you could write:

mysql_query(q"INSERT INTO table VALUES('$var')");

and PHP would do the right thing regardless of whether $var has the quotes escaped or not, because it would _know_ if it has, and escape them if it has not.

The example for HTMLized string goes like this:
echo h"<INPUT TYPE=HIDDEN NAME=whatever VALUE=\"$var\">";

Of course, PHP would also have to correctly handle string concatenations etc. - when you join several strings of different kinds, it should convert all of them to the kind of the first one...

If you don't like the q"..." syntax, the same could be done with typecasting: (EscapedString)"..." and (HTMLizedString)"..." - in fact, it's probably better, because that way you could typecast any strings (or any values, in fact), not just string literals.

I think it is a problem that now the behaviour of applications is seriously dependent on PHP's configuration of magic_quotes - this would solve it! (I.e. now, when I write a script that expects magic_quotes on, it will have serious security holes when run with magic_quotes off!)

Wow, isn't that a brilliant idea! ;-) (You can't expect praise from anyone but yourself.)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-09 13:42 UTC] vdhome at idas dot cz
Clarification: to preserve backward compatibility, string literals without a string type specification would have an "undefined" or "unknown" type and PHP wouldn't do any automatic conversion on them. This makes it necessary to add a type specifier for normal, non-escaped, non-HTMLized strings: n"..." or (NormalString)"...", or perhaps (PlainString)"...".
 [2002-04-19 11:20 UTC] sniper@php.net
Real solution is to remove those magic_* options altogether.
And write your code using the addslashes(), etc.

This feature is not the way to go.

 [2002-05-01 22:39 UTC] vdhome at idas dot cz
Bogus? BOGUS?!?! Whaddaya mean, bogus?! I'm offended!

;-) OK, I'm not. But Bugzilla's WONTFIX is certainly much more polite, though just as disappointing.

Anyway, as the saying goes, talk is cheap but code is free. (Of course, not all code is free and some talk can get you into prison...) Well, the saying doesn't mention code, but after all, we're extending languages, aren't we?

OK, I'm getting to the point. You can download the patch at: http://nebuchadnezzar.zion.cz/php_strings.php

Try it, test it, read what I have to say about it, perhaps even use it, make an opinion and tell me what it is! Just don't forget it's early alpha, nearly untested code.

Sniper, why do you want to remove magic_quotes _and_ not implement string types? That's cruel!

Is it a definitive and shared opinion that "This feature is not the way to go."? Has there been any debate? (Sorry, I'm not subscribed to the mailing lists.) What do the other developers think? Have you even seriously considered it?
 [2002-05-06 22:16 UTC] spearow at prodigy dot net
is it really that hard to write a few lines of code to check if magic_quotes is enabled or not and addslashes() or stripslashes() your variables as desired?
 [2010-04-06 19:33 UTC] rasmus@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2010-04-06 19:33 UTC] rasmus@php.net
We aren't going to do this.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 23:01:26 2024 UTC