Posted by & filed under PHP.

Stefan Esser has posted a warning about upgrading PHP to the 5.2.7 release :

(…)a change in the ext/filter extension that by default processes all incoming data, broke the magic_quotes_gpc feature. While magic_quotes_gpc itself is deprecated and it is recommended to not rely on it as protection against SQL injection, it is still used in many legacy applications that become very insecure once it is turned off. And exactly that happens with the upgrade to PHP 5.2.7. The fix for this was already commited to the PHP CVS and PHP 5.2.8 will be released next week.

I just fixed this issue in the Dotdeb packages, just upgrade your servers.

10 Responses to “PHP 5.2.7 updated because magic_quotes_gpc is broken”

  1. FILLVAIO2

    Thanx for everyone of this site.

    My apache2 server was everytime crashing, with error in log file: [notice] child pid ???? exit signal Segmentation fault (11), i have find by [gdb] that is was libgd.so.2 module from PHP.

    I have upgrade PHP 5.2.0.8 to 5.2.7 in Debian server from your Site, and all works Fine!

    Again – thank you very much!

    Problem fixed!

  2. Sebastian Harnau

    Thanks a lot for providing the corrected packages, because the error broke our MediaWiki-Installation of rezeptewiki.org for a few hours. Site was online and pages could be viewed, but no changes could be made, because the MediaWiki-Script wasn’t able to check some hidden input fields…

    Now everything is running as exspected. Thanks!

  3. Guillaume Plessis

    @FILLVAIO2 : Great 🙂

    @Sebastian Harnau : This was a serious problem and I thought it was important to fix it immediatly, without the upcoming 5.2.8 release.

  4. Christopher B.

    I´ve read at golem.de that this PHP Version isn’t secure. What should I do now? Should I try a downgrade or is this version secure?

  5. Guillaume Plessis

    @Christopher B. : the 5.2.7-0.dotdeb.1 packages are secure, they are 5.2.8 without the right version number. You can upgrade without any known security problem.

  6. Christopher B.

    @Guillaume Plessis : Thanks for the fast reply. Ok I will use the actually php5dotdeb Version.

  7. desfrenes

    It’s crazy… this “feature” is so deprecated, programmers should learn to escape their inputs and use prepared statements instead of relying on such a hack.

Trackbacks/Pingbacks

  1.  PHP 5.2.7 updated because magic_quotes_gpc is broken | PHP-Blog.com
  2.  Mr. Foo