php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62526 magic_quotes_gpc is deprecated but defaults to 1
Submitted: 2012-07-11 01:42 UTC Modified: 2012-07-11 13:37 UTC
From: sun at unleashedmind dot com Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 5.3.14 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sun at unleashedmind dot com
New email:
PHP Version: OS:

 

 [2012-07-11 01:42 UTC] sun at unleashedmind dot com
Description:
------------
http://php.net/manual/info.configuration.php states:

Warning  This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

But yet:

Name              Default [...] Changelog
magic_quotes_gpc  "1"           Removed in PHP 5.4.0.

Pretty much all distros ship with PHP 5.3.x that has it disabled today:

magic_quotes_gpc = Off

But when PHP has no configuration file (which happens to be the case for CLI in some bundles/distros; e.g., MAMP), then the evil feature is unexpectedly enabled.

Proposed solution:

- Change the default to "0" (off).


Related bugs:
- https://bugs.php.net/bug.php?id=61550 - philip stated that "It remains on by default with PHP 5.3.x", but did not give a reason for why that is.  Any chance to discuss, or at least to get a reason?

Backstory: http://drupal.org/node/1569456#comment-6045228


Test script:
---------------
echo ini_get("magic_quotes_gpc");

Expected result:
----------------
0

Actual result:
--------------
1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-11 02:38 UTC] rasmus@php.net
Because it does unfortunately provide a security blanket for a number of sites 
out there. So we warn that it is deprecated and focus on trying to teach people 
to turn it off and not use it in 5.3 before we entirely remove it in 5.4.
 [2012-07-11 02:38 UTC] rasmus@php.net
-Status: Open +Status: Not a bug
 [2012-07-11 13:37 UTC] sun at unleashedmind dot com
Thanks for clarifying, Rasmus.

We'll try to report and fix the missing/default configuration files in the affected bundles/distros instead then.  They should have it disabled for a long time anyway already.

E.g., in the case of MAMP, the default config for Apache actually has it disabled, but the php.ini for CLI does not specify the setting at all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 01:01:28 2024 UTC