|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33904 magic quotes added to posted array keys even when magic_quotes_gpc is off
Submitted: 2005-07-28 15:36 UTC Modified: 2005-07-29 17:44 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at kanariepiet dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 5CVS-2005-07-29 OS: *
Private report: No CVE-ID: None
 [2005-07-28 15:36 UTC] php at kanariepiet dot com
With magic_quotes_gpc turned off, PHP shouldn't add quotes to 
posted variables. This is true for normal variables like 
<input type="text" name="test" value="foo'bar">.
However, when posting associative arrays like <input 
type="text" name="test[foo'bar]" value="dummy"> PHP 5.0.4 adds 
a quote before the '.

PHP 4.3.4 does not have this bug.

Reproduce code:
<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="foo'bar" value="dummy">
<input type="submit">

Expected result:
With magic_quotes_gpc turned off, it should say (and PHP 4.3.4 
   [foo'bar] => dummy

Actual result:
However, with PHP 5.0.4 it says:
   [foo\'bar] => dummy


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-28 16:26 UTC] php at kanariepiet dot com
To be more precies:

The quotes in the value parts of the $_POST array are left 
alone (good), but the quotes in the key parts of the $_POST 
array are preceeded with slashes (wrong).
 [2005-07-28 16:30 UTC] php at kanariepiet dot com
phpinfo() show that magic quotes are turned off.
As stated above, value parts are left alone. The following 
code returns Array ( [test] => foo'bar ) as expected, so the 
settings are ok.

<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="test" value="foo'bar">
 [2005-07-28 16:34 UTC]
Please try using this CVS snapshot:
For Windows:

 [2005-07-28 17:04 UTC] php at kanariepiet dot com
php5-200507281430 gives the same results as php-5.0.4:

        print_r ($_POST);
<form method="post">
<input type="text" name="foo'bar" value="bar'foo">


Array (
  [foo\'bar] => bar'foo
 [2005-07-28 17:20 UTC]
See also bug #29165.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 12 10:01:28 2024 UTC