Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:14676
Return-Path: <george@omniti.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47203 invoked by uid 1010); 7 Feb 2005 00:49:13 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 47156 invoked from network); 7 Feb 2005 00:49:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Feb 2005 00:49:12 -0000
X-Host-Fingerprint: 66.80.117.3 longsword.omniti.com Linux 2.4/2.6
Received: from ([66.80.117.3:47752] helo=mail.omniti.com)
	by pb1.pair.com (ecelerity HEAD (r4105:4106)) with SMTP
	id 88/E3-26533-346B6024 for <internals@lists.php.net>; Sun, 06 Feb 2005 19:28:52 -0500
DomainKey-Status: good
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
	s=test; d=omniti.com;
	h=Received:In-Reply-To:References:Mime-Version:Content-Type:Message-Id:Content-Transfer-Encoding:Cc:From:Subject:Date:To:X-Mailer;
	b=WDsfQViv9Srqow82ehi+RvV3Cbwn2GByahbKfHT5rXtT4NN74Is/5V9Y9I/EaS3V
	bztue553zqRuQ0uWDz5icN3/0udY2HlrtkqFbPLyCS729+4sn3UMqSZz7j6+E7Ej
Received: from ([66.80.117.254:47405] helo=[10.0.1.4])
	by mail.omniti.com (ecelerity HEAD) with SMTP
	id 7D/F1-22836-636B6024 for <edink@emini.dk>; Sun, 06 Feb 2005 19:28:41 -0500
In-Reply-To: <14380CCB-789A-11D9-B2A8-000393DC9908@emini.dk>
References: <14380CCB-789A-11D9-B2A8-000393DC9908@emini.dk>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-ID: <b114a14306dab562594e85e46d463296@omniti.com>
Content-Transfer-Encoding: 7bit
Cc: George Schlossnagle <george@omniti.com>,
	internals@lists.php.net
Date: Sun, 6 Feb 2005 19:26:59 -0500
To: Edin Kadribasic <edink@emini.dk>
X-Mailer: Apple Mail (2.619.2)
Subject: Re: [PHP-DEV] PHP 5.1
From: george@omniti.com (George Schlossnagle)


On Feb 6, 2005, at 6:51 PM, Edin Kadribasic wrote:

>
> On Sunday, Feb 6, 2005, at 23:07 Europe/Copenhagen, George 
> Schlossnagle wrote:
>
>> I disagree.  The fact that XSS attacks remain one of the largest 
>> issues plaguing large so-called enterprise sites points to data 
>> validation being a hard thing to remember to always do, and to do 
>> 'right'.
>
> So how do you feel about impact magic_quotes had on preventing SQL 
> injection attacks? In my own personal opinion it had marginal positive 
> impact at best and it didn't prevent people writing queries like 
> "delete from customer where customer_id=".$_GET['id']. It did however 
> had a major negative impact on the portability of the PHP code 
> written.

I think that magic_quotes was the wrong solution for the SQL injection 
problem.  The right solution for that is to use a database layer with 
auto-escaping built into it (via something like PDOs emulated 
bindings).

I realize that's not a real answer to your question, but I think that 
the issues with magic_quotes (which I agree is a travesty) stem from it 
being the wrong solution to the problem it tried to tackle.

George