From: jps at corah dot org
Operating system: GNU/Linux
PHP version: 5.0.0
PHP Bug Type: Strings related
Bug description: magic_quotes_gpc = off not affecting GPC keys
Description:
------------
The $_GET, $_POST and $_COOKIE index keys (having the latter two not been
confirmed) get escaped even when magic_quotes_gpc is disabled. This is
not a big problem since few people will actually use special characters on
those, but it seems inconsistent to me, so I am reporting it. I didn't
really test the the $_POST and $_COOKIE variables, but I guess the
behaviour would be the same. This problem does not affect other regular
array keys.
Personally I'd rather that you remove the whole magic_quotes stuff once
and for all, and send all lame programmers who depend on it to hell, since
this setting makes it much harder to write portable code and php has
builtin functions to specificly escape strings.
Reproduce code:
---------------
<?php
echo("magic_quotes_runtime is ".
(get_magic_quotes_runtime() ? "on" : "off")."<br />");
echo("magic_quotes_gpc is ".
(get_magic_quotes_gpc() ? "on" : "off")."<br />");
while (list($key, $val) = each($_GET))
echo(htmlentities($key." = ".$val)."<br />");
echo(htmlentities("For: ".$_SERVER["REQUEST_URI"])."<br />");
?>
Expected result:
----------------
magic_quotes_runtime is off
magic_quotes_gpc is off
"get" = "hello"
For: /~jps/flot/calls/poc.php?"get"="hello"
Actual result:
--------------
magic_quotes_runtime is off
magic_quotes_gpc is off
\"get\" = "hello"
For: /~jps/flot/calls/poc.php?"get"="hello"
--
Edit bug report at http://bugs.php.net/?id=29776&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29776&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29776&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=29776&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=29776&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=29776&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=29776&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=29776&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=29776&r=support
Expected behavior: http://bugs.php.net/fix.php?id=29776&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=29776&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=29776&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=29776&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29776&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=29776&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=29776&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=29776&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29776&r=float
