Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50337 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35072 invoked from network); 18 Nov 2010 10:48:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Nov 2010 10:48:07 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:57981] helo=mail-yx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CA/86-32235-06405EC4 for ; Thu, 18 Nov 2010 05:48:01 -0500 Received: by yxi11 with SMTP id 11so1474346yxi.29 for ; Thu, 18 Nov 2010 02:47:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=e4AGctiEtVlBAbWC6wj4YQc5VTtnjpC2gPHWEpbrr7o=; b=kO4/C6omJl8bp8Nu3tNNLAKg03VYWzRrpWfQ3jyDOrDuJ7XBK+WDx2Pc7kotldwU+Q re4xycCdD5FXpuhGKxVuoLWDtojNil9PuEots8DjLE8oQ3FKV2w9TtEC3WDaAthyXjZQ 4t/CPj+uqSwZ43ejXQowtHOtDLcCihkvxstS0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=uV0JJ8pCj3cbrfAlOrFmyq9wgsB1b835gneJ6UYL1nAUU7rzEeH8vfwWclRjZ04Dq/ 4HN7Zb2Tqbk29Ja7eracqApi2uyzfeIVuYuKlPbgCwNjtdb+hOMG4BkWG8tEzj3doSqX DbnPWUnDRY349Z6S0Zz5ydTlstnYkVrapYPWI= MIME-Version: 1.0 Received: by 10.90.3.31 with SMTP id 31mr788049agc.141.1290077275604; Thu, 18 Nov 2010 02:47:55 -0800 (PST) Sender: tyra3l@gmail.com Received: by 10.90.53.4 with HTTP; Thu, 18 Nov 2010 02:47:55 -0800 (PST) In-Reply-To: References: Date: Thu, 18 Nov 2010 11:47:55 +0100 X-Google-Sender-Auth: NiN-Qwqt1fyOnDsGQZEVcqy9tRI Message-ID: To: Patrick ALLAERT Cc: Kalle Sommer Nielsen , Internals Content-Type: multipart/alternative; boundary=001636310843bec9670495518590 Subject: Re: [PHP-DEV] Magic quotes in trunk From: info@tyrael.hu (Ferenc Kovacs) --001636310843bec9670495518590 Content-Type: text/plain; charset=UTF-8 On Thu, Nov 18, 2010 at 11:41 AM, Patrick ALLAERT wrote: > 2010/11/17 Kalle Sommer Nielsen : > > Greetings > > > > I wanted to raise this topic before we go Alpha with trunk, regarding > > our beloved magic_quotes feature. There seems to be mixed opinions > > regarding it so I thought I would take it up for discussion. > > > > We have advised people not to use magic_quotes, register_globals and > > the like for years, and they were marked as deprecated in 5.3.0+ if > > activated through their php.ini directives. Yet magic_quotes still is > > set to "On" in 5.3.0. I think its worth we either remove the feature > > or disable it in trunk as its a security related feature. Lets have a > > look at what each of those options means: > > > > Removing magic_quotes): > > Means we will remove the feature entirely in the source, we will throw > > an E_CORE_ERROR if activated so people who have it enabled are forced > > to disable it and make their applications work without magic_quotes. > > This creates a minor issue for the hosts that simply disable it and > > have their customers applications run without them which can create a > > security risk for them, although it should be fairly limited. The > > functions to check for magic_quotes_runtime should however stay for BC > > to avoid applications that run on multiple versions of PHP from doing: > > if(function_exists('...') && ...) > > > > Disabling them): > > This will help to disable the spread of magic_quotes even more, and it > > can safely be removed in the next major version of PHP. > > > > > > My personal vote here goes towards removing them entirely. > > > > > > What are your inputs on this matter? > > > > -- > > regards, > > > > Kalle Sommer Nielsen > > kalle@php.net > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > I am all for removing it but... > Disabling it by default is the first mandatory step, [done] in PHP > 5.3, magic_quotes_gpc has been turned off by default at the same time > as providing a -development and -production version of the php.ini > file. > > However, such a change might be risky in the PHP5 series! > Release the exact same thing as PHP 5.4 or PHP 6, there is a big > difference in the user perception. > * Is my PHP 5.x application compatible with PHP 6? > * Chance is higher that they will take more care reading a PHP 5.3 -> > PHP 6 Migration guide than a 5.3 -> 5.4. > > +1 to remove it in PHP > 5 > > Patrick > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > by your logic, the same goes for register_globals and for the other deprecated stuff, that we wanted to remove with the next major version. maybe we should look this the other way around: if we agree that this things have to go, and the only thing which blocks that is the version number, then maybe we should ship something > 5 Tyrael --001636310843bec9670495518590--