php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33904 magic quotes added to posted array keys even when magic_quotes_gpc is off
Submitted: 2005-07-28 15:36 UTC Modified: 2005-07-29 17:44 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at kanariepiet dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 5CVS-2005-07-29 OS: *
Private report: No CVE-ID:
 [2005-07-28 15:36 UTC] php at kanariepiet dot com
Description:
------------
With magic_quotes_gpc turned off, PHP shouldn't add quotes to 
posted variables. This is true for normal variables like 
<input type="text" name="test" value="foo'bar">.
However, when posting associative arrays like <input 
type="text" name="test[foo'bar]" value="dummy"> PHP 5.0.4 adds 
a quote before the '.

PHP 4.3.4 does not have this bug.

Reproduce code:
---------------
<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="foo'bar" value="dummy">
<input type="submit">
</form>

Expected result:
----------------
With magic_quotes_gpc turned off, it should say (and PHP 4.3.4 
does):
Array
(
   [foo'bar] => dummy
)

Actual result:
--------------
However, with PHP 5.0.4 it says:
Array
(
   [foo\'bar] => dummy
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-28 16:26 UTC] php at kanariepiet dot com
To be more precies:

The quotes in the value parts of the $_POST array are left 
alone (good), but the quotes in the key parts of the $_POST 
array are preceeded with slashes (wrong).
 [2005-07-28 16:30 UTC] php at kanariepiet dot com
phpinfo() show that magic quotes are turned off.
As stated above, value parts are left alone. The following 
code returns Array ( [test] => foo'bar ) as expected, so the 
settings are ok.

<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="test" value="foo'bar">
</form>
 [2005-07-28 16:34 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-07-28 17:04 UTC] php at kanariepiet dot com
php5-200507281430 gives the same results as php-5.0.4:

<?php
        print_r ($_POST);
?>
<form method="post">
<input type="text" name="foo'bar" value="bar'foo">
</form>

returns

Array (
  [foo\'bar] => bar'foo
)
 [2005-07-28 17:20 UTC] tony2001@php.net
See also bug #29165.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC