PHP :: Bug #33904 :: magic quotes added to posted array keys even when magic_quotes

Bug #33904

magic quotes added to posted array keys even when magic_quotes_gpc is off

Submitted:

2005-07-28 15:36 UTC

Modified:

2005-07-29 17:44 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

php at kanariepiet dot com

Assigned:

Status:

Closed

Package:

*General Issues

PHP Version:

5CVS-2005-07-29

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at kanariepiet dot com
New email:
PHP Version:		OS:

New Comment:

[2005-07-28 15:36 UTC] php at kanariepiet dot com

Description:
------------
With magic_quotes_gpc turned off, PHP shouldn't add quotes to 
posted variables. This is true for normal variables like 
<input type="text" name="test" value="foo'bar">.
However, when posting associative arrays like <input 
type="text" name="test[foo'bar]" value="dummy"> PHP 5.0.4 adds 
a quote before the '.

PHP 4.3.4 does not have this bug.

Reproduce code:
---------------
<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="foo'bar" value="dummy">
<input type="submit">
</form>

Expected result:
----------------
With magic_quotes_gpc turned off, it should say (and PHP 4.3.4 
does):
Array
(
   [foo'bar] => dummy
)

Actual result:
--------------
However, with PHP 5.0.4 it says:
Array
(
   [foo\'bar] => dummy
)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-07-28 16:26 UTC] php at kanariepiet dot com

To be more precies:

The quotes in the value parts of the $_POST array are left 
alone (good), but the quotes in the key parts of the $_POST 
array are preceeded with slashes (wrong).

[2005-07-28 16:30 UTC] php at kanariepiet dot com

phpinfo() show that magic quotes are turned off.
As stated above, value parts are left alone. The following 
code returns Array ( [test] => foo'bar ) as expected, so the 
settings are ok.

<?php print_r ($_POST); ?>
<form method="post">
<input type="text" name="test" value="foo'bar">
</form>

[2005-07-28 16:34 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

[2005-07-28 17:04 UTC] php at kanariepiet dot com

php5-200507281430 gives the same results as php-5.0.4:

<?php
        print_r ($_POST);
?>
<form method="post">
<input type="text" name="foo'bar" value="bar'foo">
</form>

returns

Array (
  [foo\'bar] => bar'foo
)

[2005-07-28 17:20 UTC] tony2001@php.net

See also bug #29165.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC