From a11c142449b5d8359ff87320e5b547d12b448d9b Mon Sep 17 00:00:00 2001
From: Michael Wallner <mike@php.net>
Date: Fri, 17 Jan 2014 15:31:53 +0100
Subject: [PATCH] proper character escaping

---
 php_http_params.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/php_http_params.c b/php_http_params.c
index 4b02e8c..76d6909 100644
--- a/php_http_params.c
+++ b/php_http_params.c
@@ -60,7 +60,7 @@ static inline void sanitize_escaped(zval *zv TSRMLS_DC)
 		ZVAL_STRINGL(zv, deq, deq_len, 0);
 	}
 
-	php_stripslashes(Z_STRVAL_P(zv), &Z_STRLEN_P(zv) TSRMLS_CC);
+	php_stripcslashes(Z_STRVAL_P(zv), &Z_STRLEN_P(zv) TSRMLS_CC);
 }
 
 static inline void prepare_escaped(zval *zv TSRMLS_DC)
@@ -68,9 +68,10 @@ static inline void prepare_escaped(zval *zv TSRMLS_DC)
 	if (Z_TYPE_P(zv) == IS_STRING) {
 		int len = Z_STRLEN_P(zv);
 
-		Z_STRVAL_P(zv) = php_addslashes(Z_STRVAL_P(zv), Z_STRLEN_P(zv), &Z_STRLEN_P(zv), 1 TSRMLS_CC);
+		Z_STRVAL_P(zv) = php_addcslashes(Z_STRVAL_P(zv), Z_STRLEN_P(zv), &Z_STRLEN_P(zv), 1,
+				ZEND_STRL("\0..\37\173\\\"") TSRMLS_CC);
 
-		if (len != Z_STRLEN_P(zv)) {
+		if (len != Z_STRLEN_P(zv) || strpbrk(Z_STRVAL_P(zv), "()<>@,;:\"/[]?={} ")) {
 			zval tmp = *zv;
 			int len = Z_STRLEN_P(zv) + 2;
 			char *str = emalloc(len + 1);
-- 
2.30.2