|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46759 magic_quotes_gpc doesn't work
Submitted: 2008-12-05 11:52 UTC Modified: 2008-12-06 17:54 UTC
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:1 (25.0%)
From: Assigned:
Status: Closed Package: Variables related
PHP Version: 5.2.7 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2008-12-05 11:52 UTC]
magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST variables. It worked with the same configuration under 5.2.6.

I have magic_quotes_gpc set in php.ini.

Reproduce code:
URL: ?q='


Expected result:
string(5) "5.2.7"
string(2) "\'"

Actual result:
string(5) "5.2.7"
string(2) "'"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-06 01:28 UTC] brion at pobox dot com
This causes downstream MediaWiki bug:

Data corruption and failure to properly submit edits when magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so input doesn't get munged by stripslashes().)

Presumably causes similar breakage in every other web app that attempts to correct for magic_quotes_gpc.
 [2008-12-06 10:03 UTC] cabel at panic dot com
We haven't yet had a chance to addslashes() our input in preparation for 
PHP 6.

So as it stands, this bug -- which we're also seeing with 5.2.7 -- 
currently means giant scary security holes in our scripts as we were 
relying on magic_quotes_gpc to make things "safe".

Not great...
 [2008-12-06 16:20 UTC]
Fix for bug #42718 seems at the origin of this bug.

If the fix is reverted, magic_quotes_gpc works again as expected.
 [2008-12-06 17:08 UTC]
After checking bug #42718 and filter extension's documentation, I believe enabling a filter *should not* disable magic_quotes_gpc (nothing is written in the documentation about this).

This patch allows application of magic_quotes_gpc *after* filters execution *if* enabled.
 [2008-12-06 17:26 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

I've backed out the fix for bug #42718
 [2008-12-06 17:54 UTC]
A quick workaround for 5.2.7 users is to add the following in the php.ini:


PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 25 15:01:29 2024 UTC