Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4700 to the following issue: The set_magic_quotes_runtime function in PHP 5.3.2 and 5.3.3, when the MySQLi extension is used, does not properly interact with use of the mysqli_fetch_assoc function, which might make it easier for context-dependent attackers to conduct SQL injection attacks via crafted input that had been properly handled in earlier PHP versions. References: http://bugs.php.net/52221 http://www.php.net/ChangeLog-5.php#5.3.4 Upstream commit: http://svn.php.net/viewvc/?view=revision&revision=302776
Following commits seem related too: http://svn.php.net/viewvc?view=revision&revision=302804 http://svn.php.net/viewvc?view=revision&revision=303366
I can't reproduce this issue on RHEL PHP 5.3.2 and 5.3.3. The output is escaped as expected, identical to the file_get_contents("test.txt") output. Looking at what code is touched by the patches referenced above, it's #ifdef MYSQLI_USE_MYSQLND code. Both RHEL and Fedora PHP packages still use libmysql, rather than new mysqlnd driver. Our builds should not be affected by this issue.
Fedora RFE for switch to mysqlnd - bug #510951.
Tomas is correct that this only affects the build with mysqlnd enabled, which we don't ship.
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6.