Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50383
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 7668 invoked from network); 19 Nov 2010 13:04:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Nov 2010 13:04:22 -0000
Authentication-Results: pb1.pair.com smtp.mail=ilia@prohost.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ilia@prohost.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain prohost.org designates 209.85.161.42 as permitted sender)
X-PHP-List-Original-Sender: ilia@prohost.org
X-Host-Fingerprint: 209.85.161.42 mail-fx0-f42.google.com  
Received: from [209.85.161.42] ([209.85.161.42:51426] helo=mail-fx0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 00/02-25589-5D576EC4 for <internals@lists.php.net>; Fri, 19 Nov 2010 08:04:21 -0500
Received: by fxm16 with SMTP id 16so2150409fxm.29
        for <internals@lists.php.net>; Fri, 19 Nov 2010 05:04:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.70.139 with SMTP id d11mr836820faj.36.1290171858349; Fri,
 19 Nov 2010 05:04:18 -0800 (PST)
Received: by 10.223.126.199 with HTTP; Fri, 19 Nov 2010 05:04:17 -0800 (PST)
In-Reply-To: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com>
Date: Fri, 19 Nov 2010 08:04:17 -0500
Message-ID: <AANLkTimXT0L82xTn2PWqfur-gy2GX2n=sbbeVRPCMT3n@mail.gmail.com>
To: Kalle Sommer Nielsen <kalle@php.net>
Cc: Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: ilia@prohost.org (Ilia Alshanetsky)

+1 for removing it.

On Wed, Nov 17, 2010 at 11:08 AM, Kalle Sommer Nielsen <kalle@php.net> wrote:
> Greetings
>
> I wanted to raise this topic before we go Alpha with trunk, regarding
> our beloved magic_quotes feature. There seems to be mixed opinions
> regarding it so I thought I would take it up for discussion.
>
> We have advised people not to use magic_quotes, register_globals and
> the like for years, and they were marked as deprecated in 5.3.0+ if
> activated through their php.ini directives. Yet magic_quotes still is
> set to "On" in 5.3.0. I think its worth we either remove the feature
> or disable it in trunk as its a security related feature. Lets have a
> look at what each of those options means:
>
> Removing magic_quotes):
> Means we will remove the feature entirely in the source, we will throw
> an E_CORE_ERROR if activated so people who have it enabled are forced
> to disable it and make their applications work without magic_quotes.
> This creates a minor issue for the hosts that simply disable it and
> have their customers applications run without them which can create a
> security risk for them, although it should be fairly limited. The
> functions to check for magic_quotes_runtime should however stay for BC
> to avoid applications that run on multiple versions of PHP from doing:
> if(function_exists('...') && ...)
>
> Disabling them):
> This will help to disable the spread of magic_quotes even more, and it
> can safely be removed in the next major version of PHP.
>
>
> My personal vote here goes towards removing them entirely.
>
>
> What are your inputs on this matter?
>
> --
> regards,
>
> Kalle Sommer Nielsen
> kalle@php.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>