Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:50401
Return-Path: <philip@roshambo.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62841 invoked from network); 20 Nov 2010 06:36:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Nov 2010 06:36:23 -0000
Authentication-Results: pb1.pair.com header.from=philip@roshambo.org; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=philip@roshambo.org; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain roshambo.org from 209.85.160.42 cause and error)
X-PHP-List-Original-Sender: philip@roshambo.org
X-Host-Fingerprint: 209.85.160.42 mail-pw0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:49748] helo=mail-pw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 03/22-47679-56C67EC4 for <internals@lists.php.net>; Sat, 20 Nov 2010 01:36:22 -0500
Received: by pwj5 with SMTP id 5so1366325pwj.29
        for <internals@lists.php.net>; Fri, 19 Nov 2010 22:36:19 -0800 (PST)
Received: by 10.142.11.4 with SMTP id 4mr2615391wfk.181.1290234979460;
        Fri, 19 Nov 2010 22:36:19 -0800 (PST)
Received: from [192.168.1.2] (c-76-22-32-17.hsd1.wa.comcast.net [76.22.32.17])
        by mx.google.com with ESMTPS id x35sm2881422wfd.13.2010.11.19.22.36.15
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Fri, 19 Nov 2010 22:36:16 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <AANLkTim8uQ_0WV8GmXMiEX367zL5t4rWsHK23b2SXGsg@mail.gmail.com>
Date: Fri, 19 Nov 2010 22:36:13 -0800
Cc: Daniel Convissor <danielc@analysisandsolutions.com>,
 PHP Internals List <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <E410B8BD-E5EC-478F-B6FB-82ACAFBA080A@roshambo.org>
References: <AANLkTin3-7w6wmFHvX+T+xoCF5HxSB=sSt4vYnkPW4y-@mail.gmail.com> <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com> <20101118162047.GA26431@panix.com> <1290097549.16819.180.camel@guybrush> <20101119151702.GA5937@panix.com> <AANLkTik6tg+FEf1Dm3Qb1HeL7_1D-Gv=WEaq8OdA2uTF@mail.gmail.com> <20101119161415.GA21178@panix.com> <AANLkTim8uQ_0WV8GmXMiEX367zL5t4rWsHK23b2SXGsg@mail.gmail.com>
To: Stanley Sufficool <ssufficool@gmail.com>
X-Mailer: Apple Mail (2.1081)
Subject: Re: [PHP-DEV] Magic quotes in trunk
From: philip@roshambo.org (Philip Olson)


On Nov 19, 2010, at 6:45 PM, Stanley Sufficool wrote:
> On Fri, Nov 19, 2010 at 8:14 AM, Daniel Convissor
> <danielc@analysisandsolutions.com> wrote:
>> On Fri, Nov 19, 2010 at 04:41:48PM +0100, Ferenc Kovacs wrote:
>>> you can get pwn3d with magic_quotes_gpc =3D On
>>=20
>> That goes without saying.  None the less, it will be problematic for =
PHP
>> to disable/remove a "security" feature that some people rely on.
>=20
> Well then +1 for making the setting throw depreciated PHP startup
> notifications when turned on with a link to suggested security
> practices for SQL, exec(), passthru(), and other sensitive functions
> benefiting from magic quotes.

Linking to a document sounds reasonable, but we already provide an =
E_DEPRECATED error when any magic quotes setting is enabled (as of =
5.3.0), so the probable question here is if we should disable MQ by =
default (in 5.4) and remove it later (5.5 or 6.0), or simply remove it =
now. I lean towards disabling by default in 5.4, and removing in 6.0.

> Also throw an E_NOTICE depreciated for the magic_quotes_gpc() function
> as well for those that check if this setting is on/off.

Punishing people who write compatible code feels wrong, so =
get_magic_quotes_gpc() should never emit an error. Heck, this harmless =
function might even exist in PHP 7. My guess is most people simply run =
stripslashes() if On, rather than avoid superior escaping mechanisms.

> But please start the movement in the direction that this will be
> removed in the future.

I\'m having a difficult time grasping the exact implications here, =
except that a default value change mostly affects people without php.ini =
files. I\'m not sure who those people are, or how they may end up using =
PHP 5.4, but maybe a wiser old timer can predict this story. But for =
good measure:

What we have already done with magic_quotes_gpc:
-------
(Note: sister magic_quotes_runtime has always defaulted to Off)

PHP 4, 5.0, 5.1, 5.2
- Default (On)
- php.ini-dist (On)
- php.ini-recommended (Off)

PHP 5.3
- Default (On)
- php.ini-development (Off)
- php.ini-production (Off)
- E_DEPRECATED error when On

Distributions/vendors:
- I\'m not sure which defaults they all use

We\'ve recommended Off for a long time now (year ~2000) so should feel =
okay with whatever decision is made. But, our main focus is handling =
clueless code that magically works (sort of) thanks to magical quotes. =
Magic!

Regards,
Philip