ID: 40586 Updated by: [EMAIL PROTECTED] Reported By: gk at gknw dot de -Status: Open +Status: Closed Bug Type: Documentation problem Operating System: at least NetWare, Win32 PHP Version: 4.4.x New Comment:
This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. "In PHP 4, also Environment variables: $_ENV variables are escaped." Previous Comments: ------------------------------------------------------------------------ [2007-03-30 16:00:51] gk at gknw dot de I doubt that the fix might turn into a security problem because its related to the system's _ENV vars, and not to something coming from outside - if we cant even trust the system's env vars then there's something wrong with the whole system's setup. Also everyone who now expect this behavior in his code build upon an undocumented feature. greets, Günter. ------------------------------------------------------------------------ [2007-03-26 11:06:20] [EMAIL PROTECTED] I think we should document this instead, as changing it might cause security problems for people. ------------------------------------------------------------------------ [2007-03-26 10:33:05] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2007-03-23 15:56:18] [EMAIL PROTECTED] This behavior is wrong. _gpc stands for GET, POST, COOKIE. ------------------------------------------------------------------------ [2007-02-21 20:30:40] gk at gknw dot de Description: ------------ With PHP 4.3.x and 4.4.x the _ENV superglobals get escaped if they contain backslahes and magic_quotes_gpc is on. This does happen with the Apache SAPI as well as with the CLI on commandline. When I getenv() same environment vars this doesnt happen. Also compared to PHP 5.2.x where this doesnt happen - regardless of the magic_quotes_gpc setting. I digged through the docu but couldnt find anything about this 'feature' mentioned with 4.x, nor the difference that it was dropped with 5.x. Expected result: ---------------- I think this 'feature' should be mentioned in the docu, and the difference between 4.x and 5.x behaviour, also because with 4.x magic_quotes_gpc is on by default. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40586&edit=1
