PHP :: Bug #33946 :: setting 'magic_quotes_gpc' in the script should re-create GPC arrays

Bug #33946

setting 'magic_quotes_gpc' in the script should re-create GPC arrays

Submitted:

2005-08-01 15:43 UTC

Modified:

2005-08-12 17:30 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	2 (100.0%)

From:

Arne dot Heizmann at csr dot com

Assigned:

Status:

Wont fix

Package:

PHP options/info functions

PHP Version:

4.3.11

OS:

Windows 2000

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 30 + 24 = ?
Subscribe to this entry?

[2005-08-01 15:43 UTC] Arne dot Heizmann at csr dot com

Description:
------------
The following code:

    ini_set ('magic_quotes_gpc') = 'Off';

does not have any effect. This is devastatingly bad for people who want to run their scripts on a server where they don't have access to php.ini.

I propose that a call to ini_set that changes the value of 'magic_quotes_gpc' should trigger a re-parsing of the input values (get, post, cookies) and re-fill the superglobal arrays with the new setting in mind.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-08-01 16:53 UTC] edink@php.net

Some settings like magic_quotes_* have only effect on things run before PHP script execution starts, and this will not change.

[2005-08-01 20:07 UTC] Arne dot Heizmann at csr dot com

Have you read my proposal at all? "this will not change" is not very much of an explanation. The current way is not useful to anyone at all.

[2005-08-01 20:18 UTC] rasmus@php.net

Reparsing the input data on an ini change would be a large change to the way PHP does things.  And doing this from user space is a one-liner, so I don't really see the need.

eg.

$_POST = array_map('stripslashes',$_POST);

Or you can call parse_str() yourself after setting magic_quotes_gpc.

[2005-08-12 17:30 UTC] Arne dot Heizmann at csr dot com

> Reparsing the input data on an ini change would be a large
> change to the way PHP does things.

That isn't an argument not to do it because the current behaviour is a major problem.

> And doing this from user space is a one-liner, so
> I don't really see the need.
> $_POST = array_map('stripslashes',$_POST);

It's not a one-liner because you've forgotten to check if magic_quotes might already be turned Off in which case you must not call stripslashes. But even if it *was* a one-liner, it would be quite stupid to have to add this line to the beginning of all PHP scripts in the world that are supposed to work on more than just one server.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 01:01:28 2024 UTC