Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50322
Return-Path: <philip@roshambo.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85603 invoked from network); 18 Nov 2010 06:42:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2010 06:42:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=philip@roshambo.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=philip@roshambo.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain roshambo.org from 209.85.214.170 cause and error)
X-PHP-List-Original-Sender: philip@roshambo.org
X-Host-Fingerprint: 209.85.214.170 mail-iw0-f170.google.com  
Received: from [209.85.214.170] ([209.85.214.170:49979] helo=mail-iw0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FC/D3-60012-AEAC4EC4 for <internals@lists.php.net>; Thu, 18 Nov 2010 01:42:51 -0500
Received: by iwn41 with SMTP id 41so3281378iwn.29
        for <internals@lists.php.net>; Wed, 17 Nov 2010 22:42:48 -0800 (PST)
Received: by 10.231.36.197 with SMTP id u5mr253734ibd.110.1290062568223;
        Wed, 17 Nov 2010 22:42:48 -0800 (PST)
Received: from [192.168.1.2] (c-76-22-32-17.hsd1.wa.comcast.net [76.22.32.17])
        by mx.google.com with ESMTPS id gy41sm57073ibb.17.2010.11.17.22.42.45
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 17 Nov 2010 22:42:46 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <201011172340.37217.larry@garfieldtech.com>
Date: Wed, 17 Nov 2010 22:42:43 -0800
Cc: internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <D0418134-4DA7-426E-9E38-1A05386ADA79@roshambo.org>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com> <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com>
To: Larry Garfield <larry@garfieldtech.com>
X-Mailer: Apple Mail (2.1081)
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: philip@roshambo.org (Philip Olson)


On Nov 17, 2010, at 9:40 PM, Larry Garfield wrote:

> On Wednesday, November 17, 2010 11:19:05 pm Philip Olson wrote:
>>> What are your inputs on this matter?
>>=20
>> I'm struggling with this topic. We must do something, but it's =
important to
>> understand that plenty of people unknowingly rely upon this security
>> feature that's still enabled by default. Granted 5.3 does generate
>> E_DEPRECATED errors when magical quotes are enabled, but is one minor =
PHP
>> version of errors enough to go from on to gone?
>>=20
>> So while those in the know (e.g., people who follow this list) find =
them
>> annoying and wish they never existed, what are the implications? I'm =
still
>> unsure how best to handle this situation but wanted to express these
>> feelings now. Whatever the case, the education effort towards data
>> filtering and sanitization requires a lot of improvement.
>>=20
>> Regards,
>> Philip
>=20
> I won't miss magic quotes if they're removed, but I can see the =
argument for=20
> saying "not quite yet".  Off-by-default is absolutely necessary if =
they're=20
> kept.  (Dear god, you mean they aren't off by default already?)
>=20
> --Larry Garfield

This is true. And in addition to the E_DEPRECATED error, it's worth =
mentioning that 5.3 includes two optional php.ini-* files =
(php.ini-production and php.ini-development) that disable magic quotes. =
But of course not everyone uses these, and "default" is how PHP behaves =
without a php.ini file. Older versions of PHP include php.ini-dist (On) =
and php.ini-recommended (Off).

Regards,
Philip