Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50390
Return-Path: <danielc@analysisandsolutions.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34302 invoked from network); 19 Nov 2010 15:17:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Nov 2010 15:17:06 -0000
Authentication-Results: pb1.pair.com header.from=danielc@analysisandsolutions.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=danielc@analysisandsolutions.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain analysisandsolutions.com from 166.84.1.73 cause and error)
X-PHP-List-Original-Sender: danielc@analysisandsolutions.com
X-Host-Fingerprint: 166.84.1.73 mail2.panix.com  
Received: from [166.84.1.73] ([166.84.1.73:61147] helo=mail2.panix.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F4/A0-30627-1F496EC4 for <internals@lists.php.net>; Fri, 19 Nov 2010 10:17:06 -0500
Received: from panix5.panix.com (panix5.panix.com [166.84.1.5])
	by mail2.panix.com (Postfix) with ESMTP id B93A638E48
	for <internals@lists.php.net>; Fri, 19 Nov 2010 10:17:02 -0500 (EST)
Received: by panix5.panix.com (Postfix, from userid 14662)
	id A9FB72424E; Fri, 19 Nov 2010 10:17:02 -0500 (EST)
Date: Fri, 19 Nov 2010 10:17:02 -0500
To: PHP Internals List <internals@lists.php.net>
Message-ID: <20101119151702.GA5937@panix.com>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com> <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com> <20101118162047.GA26431@panix.com> <1290097549.16819.180.camel@guybrush>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1290097549.16819.180.camel@guybrush>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: danielc@analysisandsolutions.com (Daniel Convissor)

Hi Johannes:

On Thu, Nov 18, 2010 at 05:25:49PM +0100, Johannes Schlter wrote:
>
> > 2) Error out if using CGI or web SAPI and one of the following is true:
> >    a) php.ini does not contain "magic_quotes_gpc = Off"
> >    b) php.ini contains "magic_quotes_runtime = On"
> >    c) php.ini contains "magic_quotes_sybase = On"
> >    d) php.ini does not exist
> 
> d) is no option.

Yeah, I hear you and figured there would be objection.

At the same time, for server administrators, isn't knowingly creating one 
file with "magic_quotes_gpc = Off" in it a very low hurdle compared to 
unknowingly getting pwn3d and then having to clean up that mess later?

If this isn't acceptable, let's come up with some other fail-safe options.

Thanks,

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409