PHP 5.2.7 is released, but with broken magic_quotes_gpc

A bug causing magic_quotes_gpc to fail

After about 7 months of development, PHP announced that 5.2.7 is released. However, short after the release, a bug was found which cause filters and magic_quotes_gpc to not work properly. It is recommended to not install this version and new release fixing this bug is expected shortly. In the meanwhile, adding the following line into your php.ini will solve the problem.

filter.default_flags=0

More information about this bug can be found here.

Use the right method to properly escape user input

The magic_quotes_gpc is a function which automatically escape $_GET, $_POST and $_COOKIE variables. This cause a lot of (poorly written) PHP scripts out there which blindly rely on magic_quotes_gpc, to be wide open to various SQL/XSS-injections.

If you run a website that relies on magic_quotes_gpc for escaping user input, we strongly recommend that you disable access to such scripts until a version fixing this bug is released.

Since most web-hosting companies have magic_quotes_gpc enabled, probably to protect their own systems against poorly written code, a lot of developers don't bother escaping user input. Because of this, when a situation like this occur or when the developer decide to move their website to another hosting company which have magic_quotes_gpc disabled, the web application is most likely vulnerable to SQL/XSS-injections. Therefore, we suggest that you disable magic_quotes_gpc and use other functions (mysql_escape_string() or pg_escape_string()) to escape your user input and learn how to write secure code without depending on magic_quotes_gpc.