Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50301 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55857 invoked from network); 17 Nov 2010 16:08:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Nov 2010 16:08:40 -0000 Authentication-Results: pb1.pair.com header.from=kalle.php@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=kalle.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.177 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: kalle.php@gmail.com X-Host-Fingerprint: 209.85.216.177 mail-qy0-f177.google.com Received: from [209.85.216.177] ([209.85.216.177:56906] helo=mail-qy0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4A/A1-40885-60EF3EC4 for ; Wed, 17 Nov 2010 11:08:39 -0500 Received: by qyk4 with SMTP id 4so150543qyk.8 for ; Wed, 17 Nov 2010 08:08:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=m6Flo1RQ0PfEuSHO0exS8czSCFc12gciCPmOcnSmfG0=; b=G6E8FsyfzV+e3ftTfeh9u+CnChF3z4zp2QVr60Pe4a+yEGs1B0hFGt5IKq8T2PCrA/ P2a/vK2kcVWwL7QCLBX/enFTTldydNTKT/CNRjXB6Gh19Jm/ffsPGkcGh6/g/hITwcQg SoQ/3AZBR6PVfeq9iuf+YCvIVPVucZF8vQMVE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=VuXguK7iV8UfLN7jHDJmclnBgUepE0s7Od8mKqK0R5zSZJj3Iyiao+kPJvR24x5sXf u1HOrLuCSFmGLXbT6Q3xtZLursPJobhPKIiXTP/fOYmDTMQmHME5RRQCnCUOKY1tKrhI +4ugYexsM/mAhOQ80cq58djkINypww/mw1fEE= MIME-Version: 1.0 Received: by 10.224.11.11 with SMTP id r11mr5840808qar.328.1290010116745; Wed, 17 Nov 2010 08:08:36 -0800 (PST) Sender: kalle.php@gmail.com Received: by 10.220.185.69 with HTTP; Wed, 17 Nov 2010 08:08:36 -0800 (PST) Date: Wed, 17 Nov 2010 17:08:36 +0100 X-Google-Sender-Auth: to8s49W-FA35YvxiaYTazOXusYg Message-ID: To: Internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Magic quotes in trunk From: kalle@php.net (Kalle Sommer Nielsen) Greetings I wanted to raise this topic before we go Alpha with trunk, regarding our beloved magic_quotes feature. There seems to be mixed opinions regarding it so I thought I would take it up for discussion. We have advised people not to use magic_quotes, register_globals and the like for years, and they were marked as deprecated in 5.3.0+ if activated through their php.ini directives. Yet magic_quotes still is set to "On" in 5.3.0. I think its worth we either remove the feature or disable it in trunk as its a security related feature. Lets have a look at what each of those options means: Removing magic_quotes): Means we will remove the feature entirely in the source, we will throw an E_CORE_ERROR if activated so people who have it enabled are forced to disable it and make their applications work without magic_quotes. This creates a minor issue for the hosts that simply disable it and have their customers applications run without them which can create a security risk for them, although it should be fairly limited. The functions to check for magic_quotes_runtime should however stay for BC to avoid applications that run on multiple versions of PHP from doing: if(function_exists('...') && ...) Disabling them): This will help to disable the spread of magic_quotes even more, and it can safely be removed in the next major version of PHP. My personal vote here goes towards removing them entirely. What are your inputs on this matter? -- regards, Kalle Sommer Nielsen kalle@php.net