(12/02/16 16:24), J David wrote: > reported magic_quotes_gpc as Off/On, but magic quotes behavior started > happening anyway. Of course I just moved the configuration to the
I've also confirmed this behavior in snapshot version of PHP 5.3 (Build on Feb 16, 2012 00:30 UTC). I tested my https://gist.github.com/1840714 script. And I've got the following result:: $ wget -q "http://localhost:8080/phpinfo.php" -O - | grep "Loaded Configuration File" <tr><td class="e">Loaded Configuration File </td><td class="v">/private/tmp/php.ini </td></tr> $ cat /private/tmp/php.ini magic_quotes_gpc=On $ wget -q "http://localhost:8080/cve-2012-0831.php?a='" -O - PHP Version: 5.3.11-dev magic_quotes_gpc: 0 $_GET['a']: \' I think magic_quotes_gpc is not disabled. All of the PHP C sources might use "PG(magic_quotes_gpc)" to access to that setting value, so that result might not be affected zend_alter_ini_entry_ex(). But a result of "ini_get()" uses a setting value after the zend_alter_ini_entry_ex() calling, so it reports 0. The above is just my guessing because I'm not an expert of PHP C source code but probably it is not bad guessing, I think. -- Kousuke Ebihara ebih...@tejimaya.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php