php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33946 setting 'magic_quotes_gpc' in the script should re-create GPC arrays
Submitted: 2005-08-01 15:43 UTC Modified: 2005-08-12 17:30 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: Arne dot Heizmann at csr dot com Assigned:
Status: Wont fix Package: PHP options/info functions
PHP Version: 4.3.11 OS: Windows 2000
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-08-01 15:43 UTC] Arne dot Heizmann at csr dot com
Description:
------------
The following code:

    ini_set ('magic_quotes_gpc') = 'Off';

does not have any effect. This is devastatingly bad for people who want to run their scripts on a server where they don't have access to php.ini.

I propose that a call to ini_set that changes the value of 'magic_quotes_gpc' should trigger a re-parsing of the input values (get, post, cookies) and re-fill the superglobal arrays with the new setting in mind.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-01 16:53 UTC] edink@php.net
Some settings like magic_quotes_* have only effect on things run before PHP script execution starts, and this will not change.
 [2005-08-01 20:07 UTC] Arne dot Heizmann at csr dot com
Have you read my proposal at all? "this will not change" is not very much of an explanation. The current way is not useful to anyone at all.
 [2005-08-01 20:18 UTC] rasmus@php.net
Reparsing the input data on an ini change would be a large change to the way PHP does things.  And doing this from user space is a one-liner, so I don't really see the need.

eg.

$_POST = array_map('stripslashes',$_POST);

Or you can call parse_str() yourself after setting magic_quotes_gpc.  
 [2005-08-12 17:30 UTC] Arne dot Heizmann at csr dot com
> Reparsing the input data on an ini change would be a large
> change to the way PHP does things.

That isn't an argument not to do it because the current behaviour is a major problem.

> And doing this from user space is a one-liner, so
> I don't really see the need.
> $_POST = array_map('stripslashes',$_POST);

It's not a one-liner because you've forgotten to check if magic_quotes might already be turned Off in which case you must not call stripslashes. But even if it *was* a one-liner, it would be quite stupid to have to add this line to the beginning of all PHP scripts in the world that are supposed to work on more than just one server.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 23 11:01:27 2019 UTC