|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22424 magic_quotes_gpc doesn't escape URL-encoded single quotes
Submitted: 2003-02-25 19:26 UTC Modified: 2003-02-25 19:35 UTC
From: oregon at pobox dot com Assigned:
Status: Not a bug Package: Variables related
PHP Version: 4.2.3 OS: Linux 2.4.9-31
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: oregon at pobox dot com
New email:
PHP Version: OS:


 [2003-02-25 19:26 UTC] oregon at pobox dot com
The magic_quotes_gpc option correctly escapes single quotes, but it ignores the single quote in GET data when the single quote is URL-encoded (as %27).  This causes database errors on submitted data what was supposed to be handled by magic_quotes_gpc.  

Example: calling a script "view.php" with city set to "Martha's Vinyard" URL-encoded will generate a DB error when the city is passed to a database query...


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-25 19:35 UTC] oregon at pobox dot com
Nevermind, it actually does work apparently.
 [2003-02-28 00:24 UTC] moderator at blackpeeps dot com
I am noticing this same problem since i upgraded to 4.3.0 in January. I have rows stored in mysql tables that have colums which contain text data with single quotes. (') for example: table.field= "I don't like fried chicken"
Prior to 4.3.0 the insert or update to mysql worked fine, now my users get "You have an error in your SQL syntax near"

Honestly, cannot say whether this issue is mysql related or PHP 4.3.0
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Nov 28 09:01:26 2023 UTC