Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50325
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.42 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        b=luMxfffmWQgsWKHWjN4Flfx5LOM+PYIjQV8quExIoj6orpJSpPC5H9RbjGK1l+vGMk
         ZFJfo55OpcMRiX3gDVI3gV5RNhLmeJnNp9DN6OVBHz3lwWZcFPmFLDTLMj0446GsjD8g
         MrM1UVwwg/Q6Cj/RtHEEZ+4EuHyUFA2X3h3HQ=
MIME-Version: 1.0
Sender: kalle.php@gmail.com
In-Reply-To: <887FE7CFF6F8DE4BB3A9535F53AFD06A2C5A4581@il-ex2.zend.net>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com>
	<6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org>
	<201011172340.37217.larry@garfieldtech.com>
	<887FE7CFF6F8DE4BB3A9535F53AFD06A2C5A4581@il-ex2.zend.net>
Date: Thu, 18 Nov 2010 09:05:22 +0100
Message-ID: <AANLkTik-+xqPRJM4SbU-j1L1AWTn3GuSbyvmDSari4G+@mail.gmail.com>
To: Zeev Suraski <zeev@zend.com>
Cc: Larry Garfield <larry@garfieldtech.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: kalle@php.net (Kalle Sommer Nielsen)

2010/11/18 Zeev Suraski <zeev@zend.com>:
> The voice of reason...
> As much as I'd like to see magic quotes burning in hell (had the option t=
o kill them when they were small, but unfortunately didn't), I'm wondering =
whether the people +1'ing are thinking about the potential consequences to =
doing this, and if they're also volunteering to respond (nicely!!) to the e=
ndless complaints, flames, and just general "what happened???!!!" mailing l=
ist emails that may flood us when this happens. =A0With 6.0, we talked abou=
t having prepend-scripts that emulate magic quotes available, since like it=
 or not - there are probably billions of lines of code out there that rely =
on the existence of magic quotes.
> I don't have a strong opinion on whether we should remove magic quotes al=
together in 5.4 and provide emulation instructions, or just disable it by d=
efault as a first step.

I think we either should kill it or disable it now and remove it in
the next major version of PHP, be that 5.5 or 6.0. I don't think we
should provide emulation instructions, but rather some improved
chapters in the manual about what they are, how they work and how to
make sure applications are "protected" / compatible against them, so
even the basis PHP developer takes it into consideration.

Because even doing: $mysqli->query('SELECT * FROM `developers` WHERE
`username` =3D \'' . $_GET['username'] . '\'); is bad with or without
magic_quotes, theres a security issue non the less if people are
writing code like that.

I think we need to better educate our developers about these features,
and I wouldn't mind writing some manual pages regarding this we can
advertise with the release. Or at least find out how big a problem
with would be, because there are still many companies with legacy code
applications running an ancient version of PHP and never would upgrade
or similar reasons.

But all in all, I think it depends on us advertising it properly in
the manual, how to deal with it that is.



--=20
regards,

Kalle Sommer Nielsen
kalle@php.net