Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50360
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22888 invoked from network); 18 Nov 2010 16:28:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Nov 2010 16:28:34 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.213.42 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:59937] helo=mail-yw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1C/7A-01108-23455EC4 for <internals@lists.php.net>; Thu, 18 Nov 2010 11:28:34 -0500
Received: by ywh2 with SMTP id 2so2122423ywh.29
        for <internals@lists.php.net>; Thu, 18 Nov 2010 08:28:31 -0800 (PST)
Received: by 10.100.201.16 with SMTP id y16mr653994anf.41.1290097710617;
        Thu, 18 Nov 2010 08:28:30 -0800 (PST)
Received: from Anonymous.local (c-98-234-184-167.hsd1.ca.comcast.net [98.234.184.167])
        by mx.google.com with ESMTPS id b25sm621203anb.3.2010.11.18.08.28.28
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Thu, 18 Nov 2010 08:28:29 -0800 (PST)
Message-ID: <4CE5542A.6070106@lerdorf.com>
Date: Thu, 18 Nov 2010 08:28:26 -0800
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: =?UTF-8?B?Sm9oYW5uZXMgU2NobMO8dGVy?= <johannes@schlueters.de>
CC: Daniel Convissor <danielc@analysisandsolutions.com>, 
 PHP Internals List <internals@lists.php.net>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com>	 <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org>	 <201011172340.37217.larry@garfieldtech.com>	 <20101118162047.GA26431@panix.com> <1290097549.16819.180.camel@guybrush>
In-Reply-To: <1290097549.16819.180.camel@guybrush>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 11/18/10 8:25 AM, Johannes Schlüter wrote:
> Hi,
> 
> On Thu, 2010-11-18 at 11:20 -0500, Daniel Convissor wrote:
>> Disabling magic quotes by default leads to the same confusion and security 
>> issues as removing them completely. 
> 
> ACK
> 
>>  But, we can remove magic quotes 
>> completely if we add a fail safe mechanism.  Here are two potential 
>> options:
>>
>> 1) Add taint support (http://news.php.net/php.internals/37209) and enable 
>> it by default.  This provides other security benefits, too.
> 
> replace one magic which proved to be bad with another magic ...

Plus the performance hit of the taint patch is rather nasty.

-R