Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50359
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21472 invoked from network); 18 Nov 2010 16:26:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2010 16:26:06 -0000
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 unknown Solaris 10 (beta)
Received: from [217.114.211.66] ([217.114.211.66:65513] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 32/3A-01108-19355EC4 for <internals@lists.php.net>; Thu, 18 Nov 2010 11:25:55 -0500
Received: from [192.168.1.31] (ppp-93-104-35-134.dynamic.mnet-online.de [93.104.35.134])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id 9C50344D57;
	Thu, 18 Nov 2010 17:25:50 +0100 (CET)
To: Daniel Convissor <danielc@analysisandsolutions.com>
Cc: PHP Internals List <internals@lists.php.net>
In-Reply-To: <20101118162047.GA26431@panix.com>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com>
	 <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org>
	 <201011172340.37217.larry@garfieldtech.com>
	 <20101118162047.GA26431@panix.com>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 18 Nov 2010 17:25:49 +0100
Message-ID: <1290097549.16819.180.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.2 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

Hi,

On Thu, 2010-11-18 at 11:20 -0500, Daniel Convissor wrote:
> Disabling magic quotes by default leads to the same confusion and security 
> issues as removing them completely. 

ACK

>  But, we can remove magic quotes 
> completely if we add a fail safe mechanism.  Here are two potential 
> options:
> 
> 1) Add taint support (http://news.php.net/php.internals/37209) and enable 
> it by default.  This provides other security benefits, too.

replace one magic which proved to be bad with another magic ...

> or
> 
> 2) Error out if using CGI or web SAPI and one of the following is true:
>    a) php.ini does not contain "magic_quotes_gpc = Off"
>    b) php.ini contains "magic_quotes_runtime = On"
>    c) php.ini contains "magic_quotes_sybase = On"
>    d) php.ini does not exist

d) is no option.

johannes