Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42162
Return-Path: <sean@caedmon.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24666 invoked from network); 8 Dec 2008 16:31:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Dec 2008 16:31:37 -0000
Authentication-Results: pb1.pair.com header.from=sean@caedmon.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sean@caedmon.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain caedmon.net from 64.15.79.181 cause and error)
X-PHP-List-Original-Sender: sean@caedmon.net
X-Host-Fingerprint: 64.15.79.181 iconoclast.caedmon.net Linux 2.5 (sometimes 2.4) (4)
Received: from [64.15.79.181] ([64.15.79.181:48721] helo=iconoclast.caedmon.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4A/87-21579-7EB4D394 for <internals@lists.php.net>; Mon, 08 Dec 2008 11:31:36 -0500
Received: from localhost (localhost [127.0.0.1])
	by iconoclast.caedmon.net (Postfix) with ESMTP id 4F50C1E0009;
	Mon,  8 Dec 2008 11:31:30 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at iconoclast.caedmon.net
Received: from iconoclast.caedmon.net ([127.0.0.1])
	by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NFk7ke4xbQD9; Mon,  8 Dec 2008 11:31:22 -0500 (EST)
Received: from [10.8.0.2] (sarcasm.vpn [10.8.0.2])
	by iconoclast.caedmon.net (Postfix) with ESMTP id 746E51E000E;
	Mon,  8 Dec 2008 11:31:22 -0500 (EST)
Cc: RQuadling@GoogleMail.com,
 PHP Internals List <internals@lists.php.net>
Message-ID: <89A3B2FC-7885-4249-836F-D5671B22DF46@caedmon.net>
To: =?ISO-8859-1?Q?Johannes_Schl=FCter?= <johannes@php.net>
In-Reply-To: <1228753192.3429.30.camel@goldfinger.johannes.nop>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 8 Dec 2008 11:31:24 -0500
References: <1228751251.3429.18.camel@goldfinger.johannes.nop> <10845a340812080803u2a1ef114j7dae338186725ba5@mail.gmail.com> <1228753192.3429.30.camel@goldfinger.johannes.nop>
X-Mailer: Apple Mail (2.929.2)
Subject: Re: [PHP-DEV] About dropping magic_quotes in 5.3 (was: Re:	[PHP-DEV] Re: PHP 5.2.7 + magic_quotes_gpc broken)
From: sean@caedmon.net (Sean Coates)

> I don't safe stuff relying on magic_quotes is safe but kicking it will
> open up way more attack vectors... :-(

In my opinion, this isn't about opening attack vectors (one hole is  
all it takes, so they're probably already vulnerable), but removing  
mqgpc without fair warning to end users could open up plenty of  
failure situations when the data is "trusted" and the developers  
didn't strip/escape the [magic] quotes properly:

$_GET['search'] = "O'Reilly";

$sql = "select * from books where publisher = '" . $_GET['search'] ."'";

The above was never "safe", but it "worked" in a trusted environment  
with mqgpc on. Removing it would cause a SQL error.

Note: I'm not condoning the use of mqgpc; just saying that disabling  
it abruptly has potential for a lot of unintended breakage.

S