Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42174
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain prohost.org from 74.125.46.29 cause and error)
Cc: PHP Internals List <internals@lists.php.net>,
 Hannes Magnusson <bjori@php.net>
Message-ID: <057E0647-DE8E-4ACD-B5D5-2D2289B168CD@prohost.org>
To: =?ISO-8859-1?Q?Johannes_Schl=FCter?= <johannes@php.net>
In-Reply-To: <1228751251.3429.18.camel@goldfinger.johannes.nop>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 8 Dec 2008 14:11:03 -0500
References: <1228751251.3429.18.camel@goldfinger.johannes.nop>
Subject: Re: [PHP-DEV] About dropping magic_quotes in 5.3 (was: Re: [PHP-DEV] Re: PHP	5.2.7 + magic_quotes_gpc broken)
From: ilia@prohost.org (Ilia Alshanetsky)


In my opinion a big change like droping something that was and still =20
used by many people are a "security measure", albeit a poor one is =20
something that can only be done in a major release.

On 8-Dec-08, at 10:47 AM, Johannes Schl=FCter wrote:

> Hi,
>
> let's take this to a new thread so it'S not hidden in other =20
> discussions:
>
> On Mon, 2008-12-08 at 16:06 +0100, Hannes Magnusson wrote:
>>> I do not think it is necessary for 5.3. It is an alpha release after
>>> all and seriously, anyone who plans to move to 5.3.0 and still
>>> relies on magic quotes gpc is likely to have more issues as well.
>>
>> Time to turn it off by default then?
>
> Getting rid of magic_quotes would be really nice but has a very big
> "BUT".
>
> Many things (I won't call it "applications" or something...) out there
> are accidentially more or less safe due to magic_quotes. Many of these
> things were written by people with, at most, basic understanding of =20=

> the
> what they are doing and now are running at some random hosting company
> on a $9.99/year (no idea what today's prices are)
>
> When dropping magic_quotes the hosting company can do one of two =20
> things:
>
> a) not update to 5.3 so we either have to maintain 5.2 for some time =20=

> or
> let them have problems
>
> b) update to 5.3. Doing that means they break many of there customer's
> code. Now they could add a default filter to add quotes again, what's
> the win? Except that it will break magic_quotes-compatible code and
> makes it harder to detect?
>
> People won't fix the code - the code was "developed" by some web =20
> design
> company 5 years ago and nobody touches the site anymore and there's no
> maintenance contract between the design company and the site owner
> anymore...
>
> The only way I see for getting rid of magic_quotes is with a version
> which will require people to touch the code anyways and with a big
> "marketing campaign" so I think PHP 6 is a way better time for that =20=

> even
> so I'm really annoyed by it when doing stuff myself...
>
> Comments and other views are welcome,
> johannes
>
>
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Ilia Alshanetsky