View Issue Details

IDProjectCategoryView StatusLast Update
0000156Main CAcert Websitesource codepublic2018-11-11 18:37
ReporterbluecAssigned Tobluec 
Status needs workResolutionopen 
Summary0000156: magic_quotes_gpc vs. mysql_escape_string()
DescriptionI see many cases where mysql_escape_string() is applied to $_REQUEST, $_POST or $_GET. As magic_quotes already escaped these strings this may lead to corruption of the userinput.

e.g. in api/ccsr.php

        $username = mysql_escape_string($_REQUEST['username']);
        $password = mysql_escape_string($_REQUEST['password']);

I recommend using something like quote_smart() from

  function quote_smart($value)
     // stripslashes, if necessary
     if (get_magic_quotes_gpc()) {
         $value = stripslashes($value);

     // quote, if not numeric
     if (!is_numeric($value)) {
         $value = "'" . mysql_real_escape_string($value) . "'";

     return $value;

Additionally since PHP 4.3.0 it's recommended to use mysql_real_escape_string().
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0001031 fix availablePatrick Disable use of insecure function mysql_escape_string() 
related to 0001260 needs workBenBE Make the source compatible with recent PHP versions 



2006-08-16 13:36

developer   ~0000523

We need patches and/or source locations, this bug isn't a simple one and feeds back into the requirement to turn off globals...


2008-02-18 13:42

reporter   ~0001010

I can confirm this bug exists for the "Contact Information" field of the "My Listing" section.

Issue History

Date Modified Username Field Change
2006-03-05 21:42 bluec New Issue
2006-08-16 13:36 duane Note Added: 0000523
2006-08-16 13:36 duane Status new => needs work
2006-08-16 13:36 duane Assigned To => bluec
2008-02-18 13:42 dionyziz Note Added: 0001010
2013-11-12 21:25 INOPIAE Relationship added related to 0001031
2014-03-19 10:53 BenBE Relationship added related to 0001260