ID: 47501
Updated by: [email protected]
Reported By: gazheyes at gmail dot com
Status: Open
Bug Type: Strings related
Operating System: *
PHP Version: 5.2.8
New Comment:
Thank you for your bug report.
I could reproduce the problem, but I don't think it is a bug.
Stripslashes is meant to be the reverse of addslashes or the
magic_quotes_gpc behavior. This means it does not only remove the slash
in front of quotes, but also handles some other escaped characters, such
as newlines and null characters:
<?php
$slashed = addslashes("\0\r\n\t");
echo bin2hex(stripslashes($slashed));
?>
Previous Comments:
------------------------------------------------------------------------
[2009-02-25 15:22:37] gazheyes at gmail dot com
Result:-
string(2) "\0"
string(1) " "
------------------------------------------------------------------------
[2009-02-25 13:37:33] [email protected]
Try this script instead:
<?php
var_dump($_GET['x'], stripslashes($_GET['x']));
?>
------------------------------------------------------------------------
[2009-02-25 11:15:51] gazheyes at gmail dot com
Description:
------------
Stripslashes appears to be converting null escapes into a null
character. I've tested other unicode characters from 0 to 100,000 and
only null escapes are converted. IMO you shouldn't be able to decode
null chars from a url like this.
Marc Zimmerli originally found this bug.
Reproduce code:
---------------
the url contains page.php?x=\0
<?php
echo stripslashes($_GET['x']);
?>
Expected result:
----------------
0
Actual result:
--------------
null
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47501&edit=1
