Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50303 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58563 invoked from network); 17 Nov 2010 16:14:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Nov 2010 16:14:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierrick@webstart.fr; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=pierrick@webstart.fr; sender-id=unknown Received-SPF: error (pb1.pair.com: domain webstart.fr from 209.85.214.170 cause and error) X-PHP-List-Original-Sender: pierrick@webstart.fr X-Host-Fingerprint: 209.85.214.170 mail-iw0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:48206] helo=mail-iw0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1D/42-40885-65FF3EC4 for ; Wed, 17 Nov 2010 11:14:15 -0500 Received: by iwn41 with SMTP id 41so2434285iwn.29 for ; Wed, 17 Nov 2010 08:14:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.231.16.66 with SMTP id n2mr7279174iba.182.1290010451884; Wed, 17 Nov 2010 08:14:11 -0800 (PST) Received: by 10.231.199.197 with HTTP; Wed, 17 Nov 2010 08:14:11 -0800 (PST) In-Reply-To: References: Date: Wed, 17 Nov 2010 11:14:11 -0500 Message-ID: To: Kalle Sommer Nielsen Cc: Internals Content-Type: multipart/alternative; boundary=000325574dbebdba02049541f64a Subject: Re: [PHP-DEV] Magic quotes in trunk From: pierrick@webstart.fr (Pierrick Charron) --000325574dbebdba02049541f64a Content-Type: text/plain; charset=ISO-8859-1 +1 for removing it in trunk Pierrick On 17 November 2010 11:08, Kalle Sommer Nielsen wrote: > Greetings > > I wanted to raise this topic before we go Alpha with trunk, regarding > our beloved magic_quotes feature. There seems to be mixed opinions > regarding it so I thought I would take it up for discussion. > > We have advised people not to use magic_quotes, register_globals and > the like for years, and they were marked as deprecated in 5.3.0+ if > activated through their php.ini directives. Yet magic_quotes still is > set to "On" in 5.3.0. I think its worth we either remove the feature > or disable it in trunk as its a security related feature. Lets have a > look at what each of those options means: > > Removing magic_quotes): > Means we will remove the feature entirely in the source, we will throw > an E_CORE_ERROR if activated so people who have it enabled are forced > to disable it and make their applications work without magic_quotes. > This creates a minor issue for the hosts that simply disable it and > have their customers applications run without them which can create a > security risk for them, although it should be fairly limited. The > functions to check for magic_quotes_runtime should however stay for BC > to avoid applications that run on multiple versions of PHP from doing: > if(function_exists('...') && ...) > > Disabling them): > This will help to disable the spread of magic_quotes even more, and it > can safely be removed in the next major version of PHP. > > > My personal vote here goes towards removing them entirely. > > > What are your inputs on this matter? > > -- > regards, > > Kalle Sommer Nielsen > kalle@php.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --000325574dbebdba02049541f64a--