Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:3935
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Thu, 14 Aug 2003 07:55:35 -0700 (Pacific Standard Time)
To: Ilia Alshanetsky <ilia@prohost.org>
cc: moshe doron <mosdoron@netvision.net.il>, internals@lists.php.net
In-Reply-To: <200308141107.02183.ilia@prohost.org>
Message-ID: <Pine.WNT.4.56.0308140754030.2888@DELL>
References: <200308071447.03285.ilia@prohost.org> <20030814072704.49157.qmail@pb1.pair.com>
 <200308141107.02183.ilia@prohost.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Re: PHP 4.3.3RC3 Released
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Right, and in the end this should be done on a per-site basis through the
input filtering mechanism I added to PHP5 a while ago.

-Rasmus

On Thu, 14 Aug 2003, Ilia Alshanetsky wrote:

> First of all this discussion bares to relevance to the 4.3.3 release as sqlite
> is NOT part of this release. Secondly this is just plain silly. PHP is not
> and is not responsible for validating input. If the user chooses not to and
> consequently leaves their scripts vulnreable to SQL injection it is their
> fault and their fault alone.
> Ability to chain queries is an extremely useful feature that most database
> systems support (even MySQL as of version 4.0). To cripple or disable such
> functionality would be absolute idiocy not to mention break backwards
> compatibility to older versions where this was possible. Adding more run-time
> directives (as suggested by Hartmut Holzgraefe ) is a bad idea as it makes
> writing portable code extremely difficult as each system may have a
> drastically different behavior due to an ini option.
>
> Ilia
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>