php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47501 stripslashes() converts \0 into a null character
Submitted: 2009-02-25 11:15 UTC Modified: 2009-08-31 16:58 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gazheyes at gmail dot com Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID: None
 [2009-02-25 11:15 UTC] gazheyes at gmail dot com
Description:
------------
Stripslashes appears to be converting null escapes into a null character. I've tested other unicode characters from 0 to 100,000 and only null escapes are converted. IMO you shouldn't be able to decode null chars from a url like this. 

Marc Zimmerli originally found this bug.

Reproduce code:
---------------
the url contains page.php?x=\0

<?php
echo stripslashes($_GET['x']);
?>

Expected result:
----------------
0

Actual result:
--------------
null

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-25 13:37 UTC] jani@php.net
Try this script instead:

<?php
var_dump($_GET['x'], stripslashes($_GET['x']));
?>
 [2009-02-25 15:22 UTC] gazheyes at gmail dot com
Result:-

string(2) "\0"
string(1) " "
 [2009-08-31 16:57 UTC] sjoerd@php.net
Thank you for your bug report.

I could reproduce the problem, but I don't think it is a bug. Stripslashes is meant to be the reverse of addslashes or the magic_quotes_gpc behavior. This means it does not only remove the slash in front of quotes, but also handles some other escaped characters, such as newlines and null characters:

<?php
$slashed = addslashes("\0\r\n\t");
echo bin2hex(stripslashes($slashed));
?>
 [2009-08-31 16:58 UTC] sjoerd@php.net
So I set it to bogus.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 08:01:23 2019 UTC