> php_zval_filter(&tmp_new_var, IF_G(default_filter), > IF_G(default_filter_flags), NULL, NULL/*charset*/, 0 TSRMLS_CC); > - } else if (PG(magic_quotes_gpc)) { > + } else if (PG(magic_quotes_gpc) && !retval) { /* for > PARSE_STRING php_register_variable_safe() will do the addslashes() */ > Z_STRVAL(new_var) = php_addslashes(*val, > Z_STRLEN(new_var), &Z_STRLEN(new_var), 0 TSRMLS_CC); > This comment is wrong. It is not php_register_variable_safe() but ext/filter that adds the magic_quotes.
And Antony's previous commit never fixed anything, it just broke magic_quotes_gpc and completely disabled it, introducing possible SQL injection vulnerabilities in tons of scripts... BTW: When will ext/filter be rewritten to a) support daisy chaining b) does not register the variables itself but actually work as filters were supposed to do. c) Support Cookies correctly... Stefan Esser -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php