|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #29165 Request variables are being escaped
Submitted: 2004-07-14 22:52 UTC Modified: 2005-03-15 01:00 UTC
Avg. Score:4.4 ± 0.7
Reproduced:6 of 6 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (33.3%)
From: guardkarma-php at yahoo dot com Assigned:
Status: No Feedback Package: *General Issues
PHP Version: 5.0.0 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: guardkarma-php at yahoo dot com
New email:
PHP Version: OS:


 [2004-07-14 22:52 UTC] guardkarma-php at yahoo dot com
When upgrading from php 4.3 to 5.0 and using the same 
php.ini file, form variable names with apostrophe 
characters are now being escaped.

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Reproduce code:

Expected result:
Array (  [variable'name] => value )

Actual result:
Array (  [variable\'name] => value )


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-07-15 11:40 UTC]
We don't support variable names with wierd characters, so the result is undefined.
 [2004-07-15 22:31 UTC] itsbrady-php at yahoo dot com
I don't think the bug is bogus, for several reasons:

#1) Any valid form input should be able to map to PHP. Sometimes PHP isn't the only programming environment present. Sometimes PHP might have to interoperate with other environments which might have different variable naming conventions, etc.

#2) The entire reason we chose to use apostrophes in our form variable names was to work around PHP's remapping from . to _ within variable names (e.g., foo.var => foo_var). We can't just remap back from underscore to period to "regenerate" the original variable name, because that might remap legitimate uses of the underscore (example, foo_something.var gets mapped to foo_something_var, and if you tried to map it back you'd get foo.something.var, which doesn't match).

#3) It used to work fine in all previous versions of PHP we've used (throughout the PHP 4.x series).

#4) We certainly do not want PHP to create Global variables like $foo'var - that would be nuts. We just want to access a perfectly valid key in a hash - $_REQUEST["foo'var"]. There's no language rule against any such key, and no real reason not to support variables so named on forms.
 [2004-07-21 23:27 UTC] guardkarma-php at yahoo dot com
This problem also makes PHP 5 not 100% backward 
 [2004-08-17 19:58 UTC] jakub dot phpbug at horky dot net
Yes, now I wanted to submit a bug regarding this and I found this. I think it should be at least documented as a change from PHP4, if not fixed.

The simple fix diff (warning, I didn't check it against various vulnerabilities regarding to not addslashes()'ing the key...):
 [2005-03-06 20:43 UTC]
Please try using this CVS snapshot:
For Windows:

 [2005-03-07 20:30 UTC]
See also bug #29776

 [2005-03-15 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 15:05:53 2022 UTC