Anonymous | Login | Signup for a new account | 12-17-2024 08:44 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0001956 | [Quercus] | minor | always | 08-20-07 19:57 | 09-04-07 13:08 | ||||
Reporter | websurfer2 | View Status | public | ||||||
Assigned To | nam | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 3.1.3 | ||||||
Summary | 0001956: Form field with quoted string is wrongly escaped | ||||||||
Description |
Quercus appears to not process quoted string from a http request correctly. When the submitted field is quoted such as ("test"), it will processed as (\"test\") in the $_REQUEST variable. While exactly the same script behaves normally in standard php engine. Pasted are the html page used to submit the request and the php script show the processed request. t.html // used to submit the request <html> <head><title>test Page</title></head> <body> <h1> test</h1> <form method = post action="t.php"> <input type =text name="QUERY" size=20> <input type=submit name="submit" value=submit> </form> </body> </html> t.php //used to show the request <?php $query = $_REQUEST['QUERY']; echo $query; ?> |
||||||||
Additional Information | |||||||||
Attached Files | |||||||||
|
Notes | |
(0002215) bago 08-22-07 08:12 |
It could be a difference in magic quote configuration. As an example drupal try to manually handle the various different configurations for PHP: http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc [^] function _fix_gpc_magic(&$item) { if (is_array($item)) { array_walk($item, '_fix_gpc_magic'); } else { $item = stripslashes($item); } } /** * Helper function to strip slashes from $_FILES skipping over the tmp_name keys * since PHP generates single backslashes for file paths on Windows systems. * * tmp_name does not have backslashes added see * http://php.net/manual/en/features.file-upload.php#42280 [^] */ function _fix_gpc_magic_files(&$item, $key) { if ($key != 'tmp_name') { if (is_array($item)) { array_walk($item, '_fix_gpc_magic_files'); } else { $item = stripslashes($item); } } } /** * Correct double-escaping problems caused by "magic quotes" in some PHP * installations. */ function fix_gpc_magic() { static $fixed = FALSE; if (!$fixed && ini_get('magic_quotes_gpc')) { array_walk($_GET, '_fix_gpc_magic'); array_walk($_POST, '_fix_gpc_magic'); array_walk($_COOKIE, '_fix_gpc_magic'); array_walk($_REQUEST, '_fix_gpc_magic'); array_walk($_FILES, '_fix_gpc_magic_files'); $fixed = TRUE; } } |
(0002262) nam 09-04-07 13:08 |
php/0878 The default configuration for magic_quotes_gpc was ON. This means that quotes will be escaped in $_POST, $_GET, and $_COOKIES. In the default php.ini, PHP5 has magic_quotes_gpc ON. But since PHP6 will be removing magic_quotes support altogether, Quercus will now have magic_quotes_gpc OFF by default. |
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
32 total queries executed. 28 unique queries executed. |