Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50358
Return-Path: <danielc@analysisandsolutions.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19597 invoked from network); 18 Nov 2010 16:20:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2010 16:20:52 -0000
Authentication-Results: pb1.pair.com smtp.mail=danielc@analysisandsolutions.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=danielc@analysisandsolutions.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain analysisandsolutions.com from 166.84.1.72 cause and error)
X-PHP-List-Original-Sender: danielc@analysisandsolutions.com
X-Host-Fingerprint: 166.84.1.72 mail1.panix.com  
Received: from [166.84.1.72] ([166.84.1.72:54008] helo=mail1.panix.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DA/C9-01108-26255EC4 for <internals@lists.php.net>; Thu, 18 Nov 2010 11:20:52 -0500
Received: from panix5.panix.com (panix5.panix.com [166.84.1.5])
	by mail1.panix.com (Postfix) with ESMTP id 693481F089
	for <internals@lists.php.net>; Thu, 18 Nov 2010 11:20:47 -0500 (EST)
Received: by panix5.panix.com (Postfix, from userid 14662)
	id 5BFF92424E; Thu, 18 Nov 2010 11:20:47 -0500 (EST)
Date: Thu, 18 Nov 2010 11:20:47 -0500
To: PHP Internals List <internals@lists.php.net>
Message-ID: <20101118162047.GA26431@panix.com>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com> <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201011172340.37217.larry@garfieldtech.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: danielc@analysisandsolutions.com (Daniel Convissor)

On Wed, Nov 17, 2010 at 11:40:37PM -0600, Larry Garfield wrote:
>
> I won't miss magic quotes if they're removed, but I can see the argument for 
> saying "not quite yet".  Off-by-default is absolutely necessary if they're 
> kept.  (Dear god, you mean they aren't off by default already?)

When opening my mouth on this list I often end up with my foot in it.  
Hopefully this isn't one of them...

Disabling magic quotes by default leads to the same confusion and security 
issues as removing them completely.  But, we can remove magic quotes 
completely if we add a fail safe mechanism.  Here are two potential 
options:

1) Add taint support (http://news.php.net/php.internals/37209) and enable 
it by default.  This provides other security benefits, too.

or

2) Error out if using CGI or web SAPI and one of the following is true:
   a) php.ini does not contain "magic_quotes_gpc = Off"
   b) php.ini contains "magic_quotes_runtime = On"
   c) php.ini contains "magic_quotes_sybase = On"
   d) php.ini does not exist

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409