|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #258 Magic Quotes strange behavior.
Submitted: 1998-04-09 17:48 UTC Modified: 1998-04-12 05:48 UTC
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: wntrmute at tampabay dot rr dot com Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Release Candidate 3 OS: Debian Linux 2.0 (frozen)
Private report: No CVE-ID: None
 [1998-04-09 17:48 UTC] wntrmute at tampabay dot rr dot com
I have a script that accepts user input and dumps this input into a
Solid database.  Pretty standard web to db stuff, yes?

Magic quotes is very good at it's job, and does indeed escape the '
character with '', which the database is expecting.
However,  there is a new problem.  When the " character (that's a QUOTE,
not APOSTROPHE) appears in the string Magic quotes starts to do
something weird.

To duplicate this for yourselves, turn all quoting functions on in
php3.ini, create a form with a single text field entry, and a PHP3
script on the backend to catch the incoming form variable.

For the sake of arguement say that the variable "content" in my form = A
', and a ".
A command such as:

echo "' $content '";

Shows as:

' A '', and a ".

You may be wondering, as I am, where the end single apostrophe went to.

Because you see, this statement comes out just fine as long as we get
rid of the " in the variable.  Lets say that the
new contents of "content" = A ', and nothing else.

echo "' $content '";

Shows as:

' A '', and nothing else. '

Voila!  As if by magic (smirk), there's the single apostrophe again.

So what gives?

It would appear that Magic quotes doesn't like quote characters all that
much.  Apostrophes sure, but no ".

By the way, if I turn quote_gpc off, I can suddenly insert " characters,
but of course ' characters are no longer escaped.  It only happens when
quote_gpc is turned on.

To reiterate, to duplicate this you must turn all quoting functions on,
create a form with a simple text field, and a PHP3 script to catch and
echo that value in a statement such as this:

echo "' $your_variable '";

I'm not so much looking for ways to deal with this problem, but rather a
fix for this type of behavior (because I'm lazy, and having to re-escape
everything after PHP gets it seems a bit redundant).


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [1998-04-12 05:48 UTC] zeev
fixed in the latest CVS
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 10:01:29 2024 UTC