Make WordPress Core

Opened 3 years ago

Last modified 6 months ago

#19455 new defect (bug)

The "magic_quotes_sybase" Problem

Reported by: summerblue Owned by: 夏天
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.2.1
Component: Bootstrap/Load Keywords: has-patch
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Post A Post, titled (in the double quote) : "Charlie's little cat"

It will become (in the double quote) : "Charlie''s little cat"

Notice that, single quote become double quotes!!

YES , My 'magic_quotes_gpc' and 'magic_quotes_sybase' are enabled!

Here is The PHP.NET links: http://php.net/manual/en/security.magicquotes.disabling.php

Attachments (2)

magic_quotes_sybase.png (2.4 KB) - added by summerblue 3 years ago.
19455.patch (921 bytes) - added by kurtpayne 3 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 ryan3 years ago

Related: r18549

comment:2 SergeyBiryukov3 years ago

  • Description modified (diff)

comment:3 summerblue3 years ago

Here is the solution :

Remove the line below, it's in the "wp-settings.php" Line 33. It's in the wrong position!

@ini_set( 'magic_quotes_sybase', 0 );

And then, in the "wp-includes/load.php", in The function "wp_magic_quotes()" add the code below, immediately after "if ( get_magic_quotes_gpc() ) {}"

function wp_magic_quotes() {
	// If already slashed, strip.
	if ( get_magic_quotes_gpc() ) {
		$_GET    = stripslashes_deep( $_GET    );
		$_POST   = stripslashes_deep( $_POST   );
		$_COOKIE = stripslashes_deep( $_COOKIE );

	// Put it right here can solve the Problem. 
	// Just Mack sure turn of action is Occur after the "stripslashes_deep" action has done.
	if(ini_get('magic_quotes_sybase') && function_exists('ini_set')) {
		ini_set( 'magic_quotes_sybase', 0 );
	// Escape with wpdb
	$_GET    = add_magic_quotes( $_GET    );
	$_POST   = add_magic_quotes( $_POST   );
	$_COOKIE = add_magic_quotes( $_COOKIE );
	$_SERVER = add_magic_quotes( $_SERVER );

	// Force REQUEST to be GET + POST
	$_REQUEST = array_merge( $_GET, $_POST );

comment:5 kurtpayne3 years ago

  • Cc kpayne@… added

I can reproduce this. Here's what's happening:

  1. $_POST comes in with sybase quotes (e.g. Charlie''s little cat)
  2. magic_quotes_sybase is disabled
  3. stripslashes() is run on $_POST which respects sybase quotes settings.
    1. With sybase quotes disabled (current behavior), stripslashes is looking for \' instead of '' and this is not converted correctly.
    2. With sybase quotes still enabled (@summerblue's solution), stripslashes is looking for '', and the input is converted properly (e.g. Charlie''s -> Charlie's), then magic_quotes_sybase is disabled

I tested this solution on all possible combinations of magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase with no problems.

kurtpayne3 years ago

comment:6 SergeyBiryukov3 years ago

  • Keywords has-patch added

comment:7 nacin6 months ago

  • Component changed from General to Bootstrap/Load
Note: See TracTickets for help on using tickets.