Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42158
Return-Path: <johannes@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19625 invoked from network); 8 Dec 2008 16:20:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Dec 2008 16:20:01 -0000
Authentication-Results: pb1.pair.com header.from=Johannes.Schlueter@Sun.COM; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=johannes@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 192.18.6.21 as permitted sender)
X-PHP-List-Original-Sender: johannes@php.net
X-Host-Fingerprint: 192.18.6.21 gmp-eb-inf-1.sun.com Solaris 10 (beta)
Received: from [192.18.6.21] ([192.18.6.21:57034] helo=gmp-eb-inf-1.sun.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C9/66-21579-0394D394 for <internals@lists.php.net>; Mon, 08 Dec 2008 11:20:01 -0500
Received: from fe-emea-10.sun.com (gmp-eb-lb-2-fe3.eu.sun.com [192.18.6.12])
	by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id mB8GJv7W003512
	for <internals@lists.php.net>; Mon, 8 Dec 2008 16:19:57 GMT
Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 id <0KBK00501EWC7Q00@fe-emea-10.sun.com> (original mail from johannes@php.net)
 for internals@lists.php.net; Mon, 08 Dec 2008 16:19:57 +0000 (GMT)
Received: from [192.168.1.103] ([93.104.97.83])
 by fe-emea-10.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28
 2007)) with ESMTPSA id <0KBK0047HG15DVD0@fe-emea-10.sun.com>; Mon,
 08 Dec 2008 16:19:53 +0000 (GMT)
Date: Mon, 08 Dec 2008 17:19:52 +0100
In-reply-to: <10845a340812080803u2a1ef114j7dae338186725ba5@mail.gmail.com>
Sender: Johannes.Schlueter@Sun.COM
To: RQuadling@GoogleMail.com
Cc: PHP Internals List <internals@lists.php.net>
Message-ID: <1228753192.3429.30.camel@goldfinger.johannes.nop>
MIME-version: 1.0
X-Mailer: Evolution 2.22.3.1 (2.22.3.1-1.fc9)
Content-type: text/plain
Content-transfer-encoding: 7BIT
References: <1228751251.3429.18.camel@goldfinger.johannes.nop>
 <10845a340812080803u2a1ef114j7dae338186725ba5@mail.gmail.com>
Subject: Re: [PHP-DEV] About dropping magic_quotes in 5.3 (was: Re:	[PHP-DEV]
 Re: PHP 5.2.7 + magic_quotes_gpc broken)
From: johannes@php.net (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

Hi,

On Mon, 2008-12-08 at 16:03 +0000, Richard Quadling wrote:
> But I also understand it is pretty shitty to miss a 1 liner (magic
> quotes removed) and find everything broken and then to be told
> RTFM/RTFCL.

There's a difference between this and other breaks: Most other BC breaks
change the behavior in a way you can easily spot, the magic_quotes issue
will only be spotted when actually testing for it - using the PHP app as
it is supposed will work like a charm. Only when adding " or ' you get
an SQL error ... which is a big security issue. (which again is
different from other BC breaks which just result in not working code)

I don't safe stuff relying on magic_quotes is safe but kicking it will
open up way more attack vectors... :-(

johannes