PHP 5.2.7 updated because magic_quotes_gpc is broken

December 7th, 2008 | by Guillaume Plessis |

Stefan Esser has posted a warning about upgrading PHP to the 5.2.7 release :

(…)a change in the ext/filter extension that by default processes all incoming data, broke the magic_quotes_gpc feature. While magic_quotes_gpc itself is deprecated and it is recommended to not rely on it as protection against SQL injection, it is still used in many legacy applications that become very insecure once it is turned off. And exactly that happens with the upgrade to PHP 5.2.7. The fix for this was already commited to the PHP CVS and PHP 5.2.8 will be released next week.

I just fixed this issue in the Dotdeb packages, just upgrade your servers.

Tags: , ,

  1. 12 Responses to “PHP 5.2.7 updated because magic_quotes_gpc is broken”

  2. By FILLVAIO2 on Dec 7, 2008 | Reply

    Thanx for everyone of this site.

    My apache2 server was everytime crashing, with error in log file: [notice] child pid ???? exit signal Segmentation fault (11), i have find by [gdb] that is was libgd.so.2 module from PHP.

    I have upgrade PHP 5.2.0.8 to 5.2.7 in Debian server from your Site, and all works Fine!

    Again – thank you very much!

    Problem fixed!

  3. By Sebastian Harnau on Dec 8, 2008 | Reply

    Thanks a lot for providing the corrected packages, because the error broke our MediaWiki-Installation of rezeptewiki.org for a few hours. Site was online and pages could be viewed, but no changes could be made, because the MediaWiki-Script wasn’t able to check some hidden input fields…

    Now everything is running as exspected. Thanks!

  4. By Guillaume Plessis on Dec 8, 2008 | Reply

    @FILLVAIO2 : Great :)

    @Sebastian Harnau : This was a serious problem and I thought it was important to fix it immediatly, without the upcoming 5.2.8 release.

  5. By Ingrid S. Jimenez on Dec 8, 2008 | Reply

    Is there any reason why anyone would turn the stupid thing on to begin with?

    http://www.thephpworklist.com

  6. By Christopher on Dec 8, 2008 | Reply

    http://de3.php.net/get/php-5.2.8.tar.bz2/from/a/mirror

    Whats this ?

    I cant “apt-get upgrade” anymore he does not find any package to update …

  7. By Guillaume Plessis on Dec 8, 2008 | Reply

    @Christopher. Don’t fetch PHP 5.2.8 yet. Please upgrade to the 5.2.7-0.dotdeb.1 packages, they’re secure.

  8. By Christopher B. on Dec 8, 2008 | Reply

    I´ve read at golem.de that this PHP Version isn’t secure. What should I do now? Should I try a downgrade or is this version secure?

  9. By Guillaume Plessis on Dec 8, 2008 | Reply

    @Christopher B. : the 5.2.7-0.dotdeb.1 packages are secure, they are 5.2.8 without the right version number. You can upgrade without any known security problem.

  10. By Christopher B. on Dec 8, 2008 | Reply

    @Guillaume Plessis : Thanks for the fast reply. Ok I will use the actually php5dotdeb Version.

  11. By desfrenes on Dec 9, 2008 | Reply

    It’s crazy… this “feature” is so deprecated, programmers should learn to escape their inputs and use prepared statements instead of relying on such a hack.

  1. 2 Trackback(s)

  2. Dec 7, 2008: PHP 5.2.7 updated because magic_quotes_gpc is broken | PHP-Blog.com
  3. Dec 8, 2008: Mr. Foo

Post a Comment