ID: 46759 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Variables related Operating System: Windows PHP Version: 5.2.7 New Comment:
Fix for bug #42718 seems at the origin of this bug. If the fix is reverted, magic_quotes_gpc works again as expected. Previous Comments: ------------------------------------------------------------------------ [2008-12-06 10:03:18] cabel at panic dot com We haven't yet had a chance to addslashes() our input in preparation for PHP 6. So as it stands, this bug -- which we're also seeing with 5.2.7 -- currently means giant scary security holes in our scripts as we were relying on magic_quotes_gpc to make things "safe". Not great... ------------------------------------------------------------------------ [2008-12-06 01:28:00] brion at pobox dot com This causes downstream MediaWiki bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=16570 Data corruption and failure to properly submit edits when magic_quotes_gpc is enabled. (Workaround: disable magic_quotes_gpc so input doesn't get munged by stripslashes().) Presumably causes similar breakage in every other web app that attempts to correct for magic_quotes_gpc. ------------------------------------------------------------------------ [2008-12-05 11:52:05] [EMAIL PROTECTED] Description: ------------ magic_quotes_gpc doesn't escape $_GET, $_POST, $_COOKIE and $_REQUEST variables. It worked with the same configuration under 5.2.6. I have magic_quotes_gpc set in php.ini. Reproduce code: --------------- URL: ?q=' <?php var_dump(PHP_VERSION); var_dump(get_magic_quotes_gpc()); var_dump($_GET["q"]); Expected result: ---------------- string(5) "5.2.7" int(1) string(2) "\'" Actual result: -------------- string(5) "5.2.7" int(1) string(2) "'" ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46759&edit=1
