Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50369 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72406 invoked from network); 18 Nov 2010 20:21:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Nov 2010 20:21:22 -0000 Authentication-Results: pb1.pair.com header.from=mike@rile.ca; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=mike@rile.ca; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain rile.ca from 216.221.81.28 cause and error) X-PHP-List-Original-Sender: mike@rile.ca X-Host-Fingerprint: 216.221.81.28 smtp1.cogeco.ca Received: from [216.221.81.28] ([216.221.81.28:55606] helo=fipsb01.cogeco.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FE/C2-01108-0CA85EC4 for ; Thu, 18 Nov 2010 15:21:21 -0500 X-IronPort-AV: E=Sophos;i="4.59,218,1288584000"; d="scan'208";a="200987304" Received: from s72-38-93-190.static.comm.cgocable.net (HELO MikePC) ([72.38.93.190]) by fipsb01.cogeco.net with ESMTP; 18 Nov 2010 15:21:14 -0500 To: "'Kalle Sommer Nielsen'" , "'Internals'" References: In-Reply-To: Date: Thu, 18 Nov 2010 15:20:09 -0500 Message-ID: <000801cb875d$ff32aad0$fd980070$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcuGcdrFu392/+0QQfWA7pEowFVaDwA6wj9w Content-Language: en-ca Subject: RE: [PHP-DEV] Magic quotes in trunk From: mike@rile.ca ("Mike Robinson") On November-17-10 11:09 AM Kalle Sommer Nielsen wrote: > Greetings > > I wanted to raise this topic before we go Alpha with trunk, regarding > our beloved magic_quotes feature. There seems to be mixed opinions > regarding it so I thought I would take it up for discussion. > > We have advised people not to use magic_quotes, register_globals and > the like for years, and they were marked as deprecated in 5.3.0+ if > activated through their php.ini directives. Yet magic_quotes still is > set to "On" in 5.3.0. I think its worth we either remove the feature > or disable it in trunk as its a security related feature. Lets have a > look at what each of those options means: > > Removing magic_quotes): > Means we will remove the feature entirely in the source, we will throw > an E_CORE_ERROR if activated so people who have it enabled are forced > to disable it and make their applications work without magic_quotes. > This creates a minor issue for the hosts that simply disable it and > have their customers applications run without them which can create a > security risk for them, although it should be fairly limited. The > functions to check for magic_quotes_runtime should however stay for BC > to avoid applications that run on multiple versions of PHP from doing: > if(function_exists('...') && ...) > > Disabling them): > This will help to disable the spread of magic_quotes even more, and it > can safely be removed in the next major version of PHP. > > > My personal vote here goes towards removing them entirely. > > > What are your inputs on this matter? IMHO, removing magic_quotes should be done only in the next major version. Far too many people are going to get bit on the behind by this type of change in a minor version. I do agree it needs to crash and burn, but I think it'll take millions of lines of code down with it (sadly). To me, removing it and disabling it by default are practically speaking the same thing. So the same applies -> next major version. If by consensus the group should decide to go ahead anyway, I would suggest a big fat notice with the release announcement and a prominent spot on the front page of php.net (now?), and perhaps consider bumping the version number up 1 (to 5.5?) just to get people's attention. This is huge. Best Regards, Mike Robinson