PHP :: Bug #52221 :: Misbehaviour of magic_quotes

PHP :: Bug #52221 :: Misbehaviour of magic_quotes_runtime (get/set))

Bug #52221

Misbehaviour of magic_quotes_runtime (get/set))

Submitted:

2010-07-01 14:13 UTC

Modified:

2010-09-15 14:40 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

m dot philipp at coreto dot de

Assigned:

mysql (profile)

Status:

Closed

Package:

MySQLi related

PHP Version:

5.3.2

OS:

Any (if using mysqlnd)

Private report:

CVE-ID:

None

[2010-07-01 14:13 UTC] m dot philipp at coreto dot de

Description:
------------
The documentation lists the get_magic_quotes_runtime() / set_magic_quotes_runtime() functions as DEPRECATED as of this PHP version. They still exist and can be called, but already work inconsistent. When magic_quotes_runtime 
file_get_contents() still escapes data, mysqli_fetch_assoc() does not anymore.

Test script:
---------------
<?php
set_magic_quotes_runtime(1);
echo "GMQR: ";
var_dump(get_magic_quotes_runtime());

$c = mysqli_connect();
mysqli_select_db($c, "test");
$r = mysqli_query($c, "select t from test;");
$ra = mysqli_fetch_assoc($r);
echo "\nDB test:\n" . $ra['t'];



$f = file_get_contents("test.txt");
echo "\n\nfile test.txt:\n" . $f;

----
Content of "test.txt" and table "t":
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 



Expected result:
----------------
Expecting similar behaviour from both function calls, dependent of the acutal magic_quotes_runtime setting.
-OR-
throwing a fatal or catchable_fatal error that unexpectet results can occur. A function thould be completely removed instead of marked as deprecated, when it starts to stop working like before.

Actual result:
--------------
Deprecated:  Function set_magic_quotes_runtime() is deprecated in test.php on line 1

GMQR: int(1)

DB test:
backslash: \
slash: /
double backslash: \\
quotes: "
single quotes: ' 

file test.txt:
backslash: \\
slash: /
double backslash: \\\\
quotes: \"
single quotes: \'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-07-19 07:54 UTC] m dot philipp at coreto dot de

-Package: Documentation problem +Package: Scripting Engine problem

[2010-07-19 07:54 UTC] m dot philipp at coreto dot de

Package correction

[2010-08-01 23:23 UTC] felipe@php.net

-Package: Scripting Engine problem +Package: MySQLi related

[2010-08-14 01:15 UTC] felipe@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: mysql

[2010-08-25 15:55 UTC] uw@php.net

-Status: Assigned +Status: Wont fix -Package: MySQLi related +Package: Documentation problem

[2010-08-25 15:55 UTC] uw@php.net

mysqlnd does not support magic quotes any more. It is a deprecated feature and mysqlnd is new. The documentation should note that.

[2010-08-25 16:22 UTC] philip@php.net

-Status: Wont fix +Status: Assigned

[2010-08-25 16:27 UTC] andrey@php.net

It should be documented that mysqlnd is a new development and doesn't implement magic quotes. PDO is a new development too, and doesn't implement magic quotes too. What can be done is adding a php_error_docref(E_WARNING) at MINIT/RINIT which will tell the developer that if mysqlnd is active and magic_quotes is set that it won't work with mysqli. Also a warning can be thrown at every mysqli call.

[2010-08-25 16:28 UTC] andrey@php.net

-Status: Assigned +Status: Verified -Assigned To: mysql +Assigned To:

[2010-08-25 16:32 UTC] uw@php.net

-Status: Verified +Status: Assigned -Assigned To: +Assigned To: mysql

[2010-08-25 16:32 UTC] uw@php.net

Getting quite unsure about the won't fix after discussion with Johannes. Johannes is correct in arguing that the silent removal of a deprecated feature could break apps unexpectedly, which is bad because magic quotes has some security impact. 

Maybe adding magic quotes (although they are deprecated) to mysqlnd and throwing a deprecation warning would be best?

Phillip, thoughts? You re-opened it. Not sure if you noticed I had changed the category/package: Did you intend to re-open as docs or code issue?

[2010-08-25 22:20 UTC] philip@php.net

I reopened it after reading "The documentation should note that" but personally I 
think MQ should work the same everywhere.

[2010-08-26 17:21 UTC] andrey@php.net

-Status: Assigned +Status: Verified

[2010-08-26 17:21 UTC] andrey@php.net

Fixed, to work like libmysql, in 5.3.4 
Documentation might need to be updated to state that it didn't work between 5.3.0 and 5.3.4

[2010-09-03 16:22 UTC] uw@php.net

-Operating System: Windows Server 2008 R2 +Operating System: Any (if using mysqlnd)

[2010-09-03 16:22 UTC] uw@php.net

Andrey, 

please have a look at the new test mysqli_magic_quotes.phpt. If I am not mistaken it will pass with libmysql but fail with mysqlnd.

Thanks!

[2010-09-03 16:23 UTC] uw@php.net

-Package: Documentation problem +Package: MySQLi related

[2010-09-03 16:23 UTC] uw@php.net

Setting back to code bug. After the fix it also needs to be documented.

[2010-09-15 14:40 UTC] uw@php.net

-Status: Verified +Status: Closed