php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52221 Misbehaviour of magic_quotes_runtime (get/set))
Submitted: 2010-07-01 14:13 UTC Modified: 2010-09-15 14:40 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: m dot philipp at coreto dot de Assigned: mysql
Status: Closed Package: MySQLi related
PHP Version: 5.3.2 OS: Any (if using mysqlnd)
Private report: No CVE-ID:
 [2010-07-01 14:13 UTC] m dot philipp at coreto dot de
Description:
------------
The documentation lists the get_magic_quotes_runtime() / set_magic_quotes_runtime() functions as DEPRECATED as of this PHP version. They still exist and can be called, but already work inconsistent. When magic_quotes_runtime 
file_get_contents() still escapes data, mysqli_fetch_assoc() does not anymore.

Test script:
---------------
<?php
set_magic_quotes_runtime(1);
echo "GMQR: ";
var_dump(get_magic_quotes_runtime());

$c = mysqli_connect();
mysqli_select_db($c, "test");
$r = mysqli_query($c, "select t from test;");
$ra = mysqli_fetch_assoc($r);
echo "\nDB test:\n" . $ra['t'];



$f = file_get_contents("test.txt");
echo "\n\nfile test.txt:\n" . $f;

----
Content of "test.txt" and table "t":
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 



Expected result:
----------------
Expecting similar behaviour from both function calls, dependent of the acutal magic_quotes_runtime setting.
-OR-
throwing a fatal or catchable_fatal error that unexpectet results can occur. A function thould be completely removed instead of marked as deprecated, when it starts to stop working like before.

Actual result:
--------------
Deprecated:  Function set_magic_quotes_runtime() is deprecated in test.php on line 1

GMQR: int(1)

DB test:
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 

file test.txt:
backslash: \\
slash: /
double backslash: \\\\
quotes: \"
single quotes: \' 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-19 07:54 UTC] m dot philipp at coreto dot de
-Package: Documentation problem +Package: Scripting Engine problem
 [2010-07-19 07:54 UTC] m dot philipp at coreto dot de
Package correction
 [2010-08-01 23:23 UTC] felipe@php.net
-Package: Scripting Engine problem +Package: MySQLi related
 [2010-08-14 01:15 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql
 [2010-08-25 15:55 UTC] uw@php.net
-Status: Assigned +Status: Wont fix -Package: MySQLi related +Package: Documentation problem
 [2010-08-25 15:55 UTC] uw@php.net
mysqlnd does not support magic quotes any more. It is a deprecated feature and mysqlnd is new. The documentation should note that.
 [2010-08-25 16:22 UTC] philip@php.net
-Status: Wont fix +Status: Assigned
 [2010-08-25 16:27 UTC] andrey@php.net
It should be documented that mysqlnd is a new development and doesn't implement magic quotes. PDO is a new development too, and doesn't implement magic quotes too. What can be done is adding a php_error_docref(E_WARNING) at MINIT/RINIT which will tell the developer that if mysqlnd is active and magic_quotes is set that it won't work with mysqli. Also a warning can be thrown at every mysqli call.
 [2010-08-25 16:28 UTC] andrey@php.net
-Status: Assigned +Status: Verified -Assigned To: mysql +Assigned To:
 [2010-08-25 16:28 UTC] andrey@php.net
Doc Problem, not for user mysql.
 [2010-08-25 16:32 UTC] uw@php.net
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: mysql
 [2010-08-25 16:32 UTC] uw@php.net
Getting quite unsure about the won't fix after discussion with Johannes. Johannes is correct in arguing that the silent removal of a deprecated feature could break apps unexpectedly, which is bad because magic quotes has some security impact. 

Maybe adding magic quotes (although they are deprecated) to mysqlnd and throwing a deprecation warning would be best?

Phillip, thoughts? You re-opened it. Not sure if you noticed I had changed the category/package: Did you intend to re-open as docs or code issue?
 [2010-08-25 17:06 UTC] andrey@php.net
Automatic comment from SVN on behalf of andrey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=302776
Log: Fix for bug #52221 Misbehaviour of magic_quotes_runtime (get/set))
 [2010-08-25 22:20 UTC] philip@php.net
I reopened it after reading "The documentation should note that" but personally I 
think MQ should work the same everywhere.
 [2010-08-26 17:21 UTC] andrey@php.net
-Status: Assigned +Status: Verified
 [2010-08-26 17:21 UTC] andrey@php.net
Fixed, to work like libmysql, in 5.3.4 
Documentation might need to be updated to state that it didn't work between 5.3.0 and 5.3.4
 [2010-09-03 16:22 UTC] uw@php.net
-Operating System: Windows Server 2008 R2 +Operating System: Any (if using mysqlnd)
 [2010-09-03 16:22 UTC] uw@php.net
Andrey, 

please have a look at the new test mysqli_magic_quotes.phpt. If I am not mistaken it will pass with libmysql but fail with mysqlnd.

Thanks!
 [2010-09-03 16:23 UTC] uw@php.net
-Package: Documentation problem +Package: MySQLi related
 [2010-09-03 16:23 UTC] uw@php.net
Setting back to code bug. After the fix it also needs to be documented.
 [2010-09-15 14:40 UTC] uw@php.net
-Status: Verified +Status: Closed
 [2010-09-15 14:40 UTC] uw@php.net
Fixed - http://news.php.net/php.cvs/63486 . Target version is 5.3.4.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC