From: andresipm at yahoo dot com
Operating system: windows XP
PHP version: 5.2.6
PHP Bug Type: Variables related
Bug description: addslashes() function modifies a $_POST variable even if you
dont want
Description:
------------
In the form enter a string with a quote anywhere. Clic several times the
submit button.
In the next code, it is supposed that the user will never excecute the
addslashes() function inside the if statement.
However, the value of the $_POST variable is changed and added slashes!!!!
Reproduce code:
---------------
<?php
if( false ){
$sss= $_POST["nameP"];
$sss= addslashes( $sss );
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
/>
<title>nooh shit</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="">
Enter the string "any'string" and send:<input name="nameP" type="text"
value="<?=$_POST["nameP"]?>" />
<input type="submit" name="enviar" id="enviar" value="Send" />
</form>
</body>
</html>
Expected result:
----------------
The expected result is that the $_POST variable keep its value:
original string: any'string
several submits later: any'string
Actual result:
--------------
The actual result is something like this:
original string: any'string
several submits later: any\\\\\\\\\\'string
--
Edit bug report at http://bugs.php.net/?id=45515&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=45515&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=45515&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=45515&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=45515&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=45515&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=45515&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=45515&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=45515&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=45515&r=support
Expected behavior: http://bugs.php.net/fix.php?id=45515&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=45515&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=45515&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=45515&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45515&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=45515&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=45515&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=45515&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=45515&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=45515&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=45515&r=mysqlcfg
