From: [EMAIL PROTECTED]
Operating system: any
PHP version: 4.1.2
PHP Bug Type: Feature/Change Request
Bug description: strings should remember whether they are magic_quoted, htmlized or
neither
Idea: any string should "know" whether AddSlashes (or magic quotes) or
HtmlSpecialChars or neither has been applied to it. Then you could have
functions declare what kind of string they expect as parameters and what
kind of string they return, and PHP would automatically do the conversion.
When writing string literals, one could indicate the type by prepending a
letter: q"..." for magic-quoted (or s"..." for added slashes, which is the
same), and h"..." for HTMLized string. When including variables in a
string literal, PHP would convert them, if necessary, to the same string
type as the literal. Then you could write:
mysql_query(q"INSERT INTO table VALUES('$var')");
and PHP would do the right thing regardless of whether $var has the quotes
escaped or not, because it would _know_ if it has, and escape them if it
has not.
The example for HTMLized string goes like this:
echo h"<INPUT TYPE=HIDDEN NAME=whatever VALUE=\"$var\">";
Of course, PHP would also have to correctly handle string concatenations
etc. - when you join several strings of different kinds, it should convert
all of them to the kind of the first one...
If you don't like the q"..." syntax, the same could be done with
typecasting: (EscapedString)"..." and (HTMLizedString)"..." - in fact,
it's probably better, because that way you could typecast any strings (or
any values, in fact), not just string literals.
I think it is a problem that now the behaviour of applications is
seriously dependent on PHP's configuration of magic_quotes - this would
solve it! (I.e. now, when I write a script that expects magic_quotes on,
it will have serious security holes when run with magic_quotes off!)
Wow, isn't that a brilliant idea! ;-) (You can't expect praise from anyone
but yourself.)
--
Edit bug report at http://bugs.php.net/?id=16480&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=16480&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=16480&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=16480&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=16480&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16480&r=support
Expected behavior: http://bugs.php.net/fix.php?id=16480&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=16480&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=16480&r=submittedtwice
