|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47501 stripslashes() converts \0 into a null character
Submitted: 2009-02-25 11:15 UTC Modified: 2009-08-31 16:58 UTC
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: gazheyes at gmail dot com Assigned:
Status: Not a bug Package: Strings related
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: gazheyes at gmail dot com
New email:
PHP Version: OS:


 [2009-02-25 11:15 UTC] gazheyes at gmail dot com
Stripslashes appears to be converting null escapes into a null character. I've tested other unicode characters from 0 to 100,000 and only null escapes are converted. IMO you shouldn't be able to decode null chars from a url like this. 

Marc Zimmerli originally found this bug.

Reproduce code:
the url contains page.php?x=\0

echo stripslashes($_GET['x']);

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-02-25 13:37 UTC]
Try this script instead:

var_dump($_GET['x'], stripslashes($_GET['x']));
 [2009-02-25 15:22 UTC] gazheyes at gmail dot com

string(2) "\0"
string(1) " "
 [2009-08-31 16:57 UTC]
Thank you for your bug report.

I could reproduce the problem, but I don't think it is a bug. Stripslashes is meant to be the reverse of addslashes or the magic_quotes_gpc behavior. This means it does not only remove the slash in front of quotes, but also handles some other escaped characters, such as newlines and null characters:

$slashed = addslashes("\0\r\n\t");
echo bin2hex(stripslashes($slashed));
 [2009-08-31 16:58 UTC]
So I set it to bogus.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 12:01:29 2024 UTC