> php_zval_filter(&tmp_new_var, IF_G(default_filter),
> IF_G(default_filter_flags), NULL, NULL/*charset*/, 0 TSRMLS_CC);
> - } else if (PG(magic_quotes_gpc)) {
> + } else if (PG(magic_quotes_gpc) && !retval) { /* for
> PARSE_STRING php_register_variable_safe() will do the addslashes() */
> Z_STRVAL(new_var) = php_addslashes(*val,
> Z_STRLEN(new_var), &Z_STRLEN(new_var), 0 TSRMLS_CC);
>
This comment is wrong. It is not php_register_variable_safe() but
ext/filter that adds the magic_quotes.
And Antony's previous commit never fixed anything, it just broke
magic_quotes_gpc and completely disabled it, introducing possible SQL
injection vulnerabilities in tons of scripts...
BTW: When will ext/filter be rewritten to
a) support daisy chaining
b) does not register the variables itself but actually work as filters
were supposed to do.
c) Support Cookies correctly...
Stefan Esser
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
