Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:48009
Return-Path: <danielc@analysisandsolutions.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 97187 invoked from network); 19 Apr 2010 13:37:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Apr 2010 13:37:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=danielc@analysisandsolutions.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=danielc@analysisandsolutions.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain analysisandsolutions.com from 166.84.1.72 cause and error)
X-PHP-List-Original-Sender: danielc@analysisandsolutions.com
X-Host-Fingerprint: 166.84.1.72 mail1.panix.com  
Received: from [166.84.1.72] ([166.84.1.72:51076] helo=mail1.panix.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CE/7F-10110-C8C5CCB4 for <internals@lists.php.net>; Mon, 19 Apr 2010 09:37:17 -0400
Received: from panix5.panix.com (panix5.panix.com [166.84.1.5])
	by mail1.panix.com (Postfix) with ESMTP id 5B4781F0A9
	for <internals@lists.php.net>; Mon, 19 Apr 2010 09:37:05 -0400 (EDT)
Received: by panix5.panix.com (Postfix, from userid 14662)
	id 536182423C; Mon, 19 Apr 2010 09:37:05 -0400 (EDT)
Date: Mon, 19 Apr 2010 09:37:05 -0400
To: PHP Internals List <internals@lists.php.net>
Message-ID: <20100419133704.GA19945@panix.com>
References: <n2k2dedb8a1004081548g4381879ahb76cf5ab9b855a9d@mail.gmail.com> <1271371883.4615.55.camel@guybrush>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1271371883.4615.55.camel@guybrush>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [PHP-DEV] [RFC] Removal of deprecated features
From: danielc@analysisandsolutions.com (Daniel Convissor)

On Fri, Apr 16, 2010 at 12:51:23AM +0200, Johannes Schlter wrote:
> 
> Removing magic_quotes would be soooooooooooo great. BUT the issue is
> that most users don't know about it. Many applications are more or less
> secure due to its existence. The apps aren't fully secure but a few less
> vectors.

One way to remove magic_quotes without opening massive quantities of 
security holes would be implementing taint mode support 
(http://wiki.php.net/rfc/taint) and having the default taint_error_level 
be E_FATAL.

Yes, this creates a painful upgrade path for the multitudes using 
insecure coding practices.  But it will hurt a lot less than having their 
applications inadvertently subverted by hackers/crackers/spammers/etc due 
to upgrading PHP.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409