php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #258 Magic Quotes strange behavior.
Submitted: 1998-04-09 17:48 UTC Modified: 1998-04-12 05:48 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: wntrmute at tampabay dot rr dot com Assigned:
Status: Closed Package: Other
PHP Version: 3.0 Release Candidate 3 OS: Debian Linux 2.0 (frozen)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wntrmute at tampabay dot rr dot com
New email:
PHP Version: OS:

 

 [1998-04-09 17:48 UTC] wntrmute at tampabay dot rr dot com
I have a script that accepts user input and dumps this input into a
Solid database.  Pretty standard web to db stuff, yes?

Magic quotes is very good at it's job, and does indeed escape the '
character with '', which the database is expecting.
However,  there is a new problem.  When the " character (that's a QUOTE,
not APOSTROPHE) appears in the string Magic quotes starts to do
something weird.

To duplicate this for yourselves, turn all quoting functions on in
php3.ini, create a form with a single text field entry, and a PHP3
script on the backend to catch the incoming form variable.

For the sake of arguement say that the variable "content" in my form = A
', and a ".
A command such as:

echo "' $content '";

Shows as:

' A '', and a ".

You may be wondering, as I am, where the end single apostrophe went to.

Because you see, this statement comes out just fine as long as we get
rid of the " in the variable.  Lets say that the
new contents of "content" = A ', and nothing else.

echo "' $content '";

Shows as:

' A '', and nothing else. '

Voila!  As if by magic (smirk), there's the single apostrophe again.

So what gives?

It would appear that Magic quotes doesn't like quote characters all that
much.  Apostrophes sure, but no ".

By the way, if I turn quote_gpc off, I can suddenly insert " characters,
but of course ' characters are no longer escaped.  It only happens when
quote_gpc is turned on.

To reiterate, to duplicate this you must turn all quoting functions on,
create a form with a simple text field, and a PHP3 script to catch and
echo that value in a statement such as this:

echo "' $your_variable '";

I'm not so much looking for ways to deal with this problem, but rather a
fix for this type of behavior (because I'm lazy, and having to re-escape
everything after PHP gets it seems a bit redundant).



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1998-04-12 05:48 UTC] zeev
fixed in the latest CVS
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun May 29 02:05:45 2022 UTC