PHP :: Bug #22424 :: magic_quotes_gpc doesn't escape URL-encoded single quotes

Bug #22424	magic_quotes_gpc doesn't escape URL-encoded single quotes
Submitted:	2003-02-25 19:26 UTC	Modified:	2003-02-25 19:35 UTC
From:	oregon at pobox dot com	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	4.2.3	OS:	Linux 2.4.9-31
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-02-25 19:26 UTC] oregon at pobox dot com

The magic_quotes_gpc option correctly escapes single quotes, but it ignores the single quote in GET data when the single quote is URL-encoded (as %27).  This causes database errors on submitted data what was supposed to be handled by magic_quotes_gpc.  

Example: calling a script "view.php" with city set to "Martha's Vinyard" URL-encoded will generate a DB error when the city is passed to a database query...

http://mywebsite.com/view.php?city=Martha%27s+Vinyard

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-25 19:35 UTC] oregon at pobox dot com

Nevermind, it actually does work apparently.

[2003-02-28 00:24 UTC] moderator at blackpeeps dot com

I am noticing this same problem since i upgraded to 4.3.0 in January. I have rows stored in mysql tables that have colums which contain text data with single quotes. (') for example: table.field= "I don't like fried chicken"
Prior to 4.3.0 the insert or update to mysql worked fine, now my users get "You have an error in your SQL syntax near"

Honestly, cannot say whether this issue is mysql related or PHP 4.3.0

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 17:00:01 2025 UTC