php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46759 magic_quotes_gpc doesn't work
Submitted: 2008-12-05 11:52 UTC Modified: 2008-12-06 17:54 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:1 (25.0%)
From: vrana@php.net Assigned:
Status: Closed Package: Variables related
PHP Version: 5.2.7 OS: Windows
Private report: No CVE-ID: None
 [2008-12-05 11:52 UTC] vrana@php.net
Description:
------------
magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST variables. It worked with the same configuration under 5.2.6.

I have magic_quotes_gpc set in php.ini.

Reproduce code:
---------------
URL: ?q='

<?php
var_dump(PHP_VERSION);
var_dump(get_magic_quotes_gpc());
var_dump($_GET["q"]);


Expected result:
----------------
string(5) "5.2.7"
int(1)
string(2) "\'"


Actual result:
--------------
string(5) "5.2.7"
int(1)
string(2) "'"


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-06 01:28 UTC] brion at pobox dot com
This causes downstream MediaWiki bug:
https://bugzilla.wikimedia.org/show_bug.cgi?id=16570

Data corruption and failure to properly submit edits when magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so input doesn't get munged by stripslashes().)

Presumably causes similar breakage in every other web app that attempts to correct for magic_quotes_gpc.
 [2008-12-06 10:03 UTC] cabel at panic dot com
We haven't yet had a chance to addslashes() our input in preparation for 
PHP 6.

So as it stands, this bug -- which we're also seeing with 5.2.7 -- 
currently means giant scary security holes in our scripts as we were 
relying on magic_quotes_gpc to make things "safe".

Not great...
 [2008-12-06 16:20 UTC] magicaltux@php.net
Fix for bug #42718 seems at the origin of this bug.

If the fix is reverted, magic_quotes_gpc works again as expected.
 [2008-12-06 17:08 UTC] magicaltux@php.net
After checking bug #42718 and filter extension's documentation, I believe enabling a filter *should not* disable magic_quotes_gpc (nothing is written in the documentation about this).

This patch allows application of magic_quotes_gpc *after* filters execution *if* enabled.

http://ookoo.org/svn/snip/php_5_2-broken_filter_and_magic_quotes.patch
 [2008-12-06 17:26 UTC] scottmac@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

I've backed out the fix for bug #42718
 [2008-12-06 17:54 UTC] lbarnaud@php.net
A quick workaround for 5.2.7 users is to add the following in the php.ini:

filter.default_flags=0

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Sep 12 12:01:27 2024 UTC