Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:50403 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38214 invoked from network); 20 Nov 2010 18:51:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Nov 2010 18:51:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=ssufficool@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ssufficool@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.170 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: ssufficool@gmail.com X-Host-Fingerprint: 209.85.214.170 mail-iw0-f170.google.com Received: from [209.85.214.170] ([209.85.214.170:47238] helo=mail-iw0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/12-13192-6B818EC4 for ; Sat, 20 Nov 2010 13:51:34 -0500 Received: by iwn4 with SMTP id 4so1103487iwn.29 for ; Sat, 20 Nov 2010 10:51:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=a7ed7C9p8lHdXDsw7dsnCkzDnGyi9BHFEfdHsGATqFU=; b=Ns7rfgUPeVncL0/EL4lX31Ol20NtXHKJXK53/U0iJ4HcCf9h5RR3e5Q0RHsN1hQssw K+Rl6oP3mZqAvMLNFA5HBtOYi1bI7NiivWBTPxKPZ7j48Ur3v+zN4m2c2/NXVlcOzCqr KRuY4rAgqJlyAz2L2x9yU3WI6EnqJxBzUGldw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=XZ0CTrXUgJa54eJc64f5oP9cSrUgCzKVZ3SQaETU0FoOhX9TA8EX32KjBrevXGQSHQ h+01GHNpm2xumbo34XHDaTWzmvac66Vn3OXQ/b7yJrA6iCxvZkFZ7t0BVu7wy8MIU8cZ BgJm83Oj35ifT3E2mMHgvhk2cE9Fy0Cnejiqc= MIME-Version: 1.0 Received: by 10.231.33.132 with SMTP id h4mr4009414ibd.150.1290279091874; Sat, 20 Nov 2010 10:51:31 -0800 (PST) Received: by 10.42.41.82 with HTTP; Sat, 20 Nov 2010 10:51:31 -0800 (PST) In-Reply-To: References: <6628E909-5B8E-4FB4-A28F-ECAF7FCA27AB@roshambo.org> <201011172340.37217.larry@garfieldtech.com> <20101118162047.GA26431@panix.com> <1290097549.16819.180.camel@guybrush> <20101119151702.GA5937@panix.com> <20101119161415.GA21178@panix.com> Date: Sat, 20 Nov 2010 10:51:31 -0800 Message-ID: To: Philip Olson Cc: Daniel Convissor , PHP Internals List Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Magic quotes in trunk From: ssufficool@gmail.com (Stanley Sufficool) On Fri, Nov 19, 2010 at 10:36 PM, Philip Olson wrote: > > On Nov 19, 2010, at 6:45 PM, Stanley Sufficool wrote: >> On Fri, Nov 19, 2010 at 8:14 AM, Daniel Convissor >> wrote: >>> On Fri, Nov 19, 2010 at 04:41:48PM +0100, Ferenc Kovacs wrote: >>>> you can get pwn3d with magic_quotes_gpc =3D On >>> >>> That goes without saying. =A0None the less, it will be problematic for = PHP >>> to disable/remove a "security" feature that some people rely on. >> >> Well then +1 for making the setting throw depreciated PHP startup >> notifications when turned on with a link to suggested security >> practices for SQL, exec(), passthru(), and other sensitive functions >> benefiting from magic quotes. > > Linking to a document sounds reasonable, but we already provide an E_DEPR= ECATED error when any magic quotes setting is enabled (as of 5.3.0), so the= probable question here is if we should disable MQ by default (in 5.4) and = remove it later (5.5 or 6.0), or simply remove it now. I lean towards disab= ling by default in 5.4, and removing in 6.0. > >> Also throw an E_NOTICE depreciated for the magic_quotes_gpc() function >> as well for those that check if this setting is on/off. > > Punishing people who write compatible code feels wrong, so get_magic_quot= es_gpc() should never emit an error. Heck, this harmless function might eve= n exist in PHP 7. My guess is most people simply run stripslashes() if On, = rather than avoid superior escaping mechanisms. I retract my assertion that get_magic_quotes_gpc() throw anything. ;-) > >> But please start the movement in the direction that this will be >> removed in the future. > > I\'m having a difficult time grasping the exact implications here, except= that a default value change mostly affects people without php.ini files. I= \'m not sure who those people are, or how they may end up using PHP 5.4, bu= t maybe a wiser old timer can predict this story. But for good measure: > > What we have already done with magic_quotes_gpc: > ------- > (Note: sister magic_quotes_runtime has always defaulted to Off) > > PHP 4, 5.0, 5.1, 5.2 > - Default (On) > - php.ini-dist (On) > - php.ini-recommended (Off) > > PHP 5.3 > - Default (On) > - php.ini-development (Off) > - php.ini-production (Off) > - E_DEPRECATED error when On > > Distributions/vendors: > - I\'m not sure which defaults they all use > > We\'ve recommended Off for a long time now (year ~2000) so should feel ok= ay with whatever decision is made. But, our main focus is handling clueless= code that magically works (sort of) thanks to magical quotes. Magic! FWIW, My SQL Server code doesn't magically work with this setting on, I just get a bunch of crappy "quote\\\\\\\\\\\'s " values after several iterations. > > Regards, > Philip > >