|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52221 Misbehaviour of magic_quotes_runtime (get/set))
Submitted: 2010-07-01 14:13 UTC Modified: 2010-09-15 14:40 UTC
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: m dot philipp at coreto dot de Assigned: mysql
Status: Closed Package: MySQLi related
PHP Version: 5.3.2 OS: Any (if using mysqlnd)
Private report: No CVE-ID:
 [2010-07-01 14:13 UTC] m dot philipp at coreto dot de
The documentation lists the get_magic_quotes_runtime() / set_magic_quotes_runtime() functions as DEPRECATED as of this PHP version. They still exist and can be called, but already work inconsistent. When magic_quotes_runtime 
file_get_contents() still escapes data, mysqli_fetch_assoc() does not anymore.

Test script:
echo "GMQR: ";

$c = mysqli_connect();
mysqli_select_db($c, "test");
$r = mysqli_query($c, "select t from test;");
$ra = mysqli_fetch_assoc($r);
echo "\nDB test:\n" . $ra['t'];

$f = file_get_contents("test.txt");
echo "\n\nfile test.txt:\n" . $f;

Content of "test.txt" and table "t":
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 

Expected result:
Expecting similar behaviour from both function calls, dependent of the acutal magic_quotes_runtime setting.
throwing a fatal or catchable_fatal error that unexpectet results can occur. A function thould be completely removed instead of marked as deprecated, when it starts to stop working like before.

Actual result:
Deprecated:  Function set_magic_quotes_runtime() is deprecated in test.php on line 1

GMQR: int(1)

DB test:
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 

file test.txt:
backslash: \\
slash: /
double backslash: \\\\
quotes: \"
single quotes: \' 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-19 07:54 UTC] m dot philipp at coreto dot de
-Package: Documentation problem +Package: Scripting Engine problem
 [2010-07-19 07:54 UTC] m dot philipp at coreto dot de
Package correction
 [2010-08-01 23:23 UTC]
-Package: Scripting Engine problem +Package: MySQLi related
 [2010-08-14 01:15 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql
 [2010-08-25 15:55 UTC]
-Status: Assigned +Status: Wont fix -Package: MySQLi related +Package: Documentation problem
 [2010-08-25 15:55 UTC]
mysqlnd does not support magic quotes any more. It is a deprecated feature and mysqlnd is new. The documentation should note that.
 [2010-08-25 16:22 UTC]
-Status: Wont fix +Status: Assigned
 [2010-08-25 16:27 UTC]
It should be documented that mysqlnd is a new development and doesn't implement magic quotes. PDO is a new development too, and doesn't implement magic quotes too. What can be done is adding a php_error_docref(E_WARNING) at MINIT/RINIT which will tell the developer that if mysqlnd is active and magic_quotes is set that it won't work with mysqli. Also a warning can be thrown at every mysqli call.
 [2010-08-25 16:28 UTC]
-Status: Assigned +Status: Verified -Assigned To: mysql +Assigned To:
 [2010-08-25 16:28 UTC]
Doc Problem, not for user mysql.
 [2010-08-25 16:32 UTC]
-Status: Verified +Status: Assigned -Assigned To: +Assigned To: mysql
 [2010-08-25 16:32 UTC]
Getting quite unsure about the won't fix after discussion with Johannes. Johannes is correct in arguing that the silent removal of a deprecated feature could break apps unexpectedly, which is bad because magic quotes has some security impact. 

Maybe adding magic quotes (although they are deprecated) to mysqlnd and throwing a deprecation warning would be best?

Phillip, thoughts? You re-opened it. Not sure if you noticed I had changed the category/package: Did you intend to re-open as docs or code issue?
 [2010-08-25 17:06 UTC]
Automatic comment from SVN on behalf of andrey
Log: Fix for bug #52221 Misbehaviour of magic_quotes_runtime (get/set))
 [2010-08-25 22:20 UTC]
I reopened it after reading "The documentation should note that" but personally I 
think MQ should work the same everywhere.
 [2010-08-26 17:21 UTC]
-Status: Assigned +Status: Verified
 [2010-08-26 17:21 UTC]
Fixed, to work like libmysql, in 5.3.4 
Documentation might need to be updated to state that it didn't work between 5.3.0 and 5.3.4
 [2010-09-03 16:22 UTC]
-Operating System: Windows Server 2008 R2 +Operating System: Any (if using mysqlnd)
 [2010-09-03 16:22 UTC]

please have a look at the new test mysqli_magic_quotes.phpt. If I am not mistaken it will pass with libmysql but fail with mysqlnd.

 [2010-09-03 16:23 UTC]
-Package: Documentation problem +Package: MySQLi related
 [2010-09-03 16:23 UTC]
Setting back to code bug. After the fix it also needs to be documented.
 [2010-09-15 14:40 UTC]
-Status: Verified +Status: Closed
 [2010-09-15 14:40 UTC]
Fixed - . Target version is 5.3.4.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Wed Oct 07 08:01:41 2015 UTC