Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:53950 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30702 invoked from network); 13 Jul 2011 20:07:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Jul 2011 20:07:50 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:40400] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C1/00-30446-51BFD1E4 for ; Wed, 13 Jul 2011 16:07:49 -0400 Received: by gxk27 with SMTP id 27so2908141gxk.29 for ; Wed, 13 Jul 2011 13:07:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=2k7csmwRrgoWSmKV+t5GGkvAGAhXGuXgpzoygHojqYw=; b=khb5pUfFUJ+xYnHj1T1UyuFvHsiWGCQVXBxiwTAzsNb+42sU1zLhK0eLMqVD5mTfVK q8QhjJ0t8rQ8AUb7rskryGMiZkDtuVc9HQDTtbum1wsQzVaTErh6K0fYzZ8PmsHRBJIO HInJaBxRsIZssaril1/m+PHurAcYU4rdCUEV0= MIME-Version: 1.0 Received: by 10.236.191.9 with SMTP id f9mr2333186yhn.22.1310587242146; Wed, 13 Jul 2011 13:00:42 -0700 (PDT) Received: by 10.147.38.17 with HTTP; Wed, 13 Jul 2011 13:00:42 -0700 (PDT) In-Reply-To: References: <4E17F5A0.3070409@sugarcrm.com> <4E1B9343.3090000@sugarcrm.com> <967B58EB-C704-40CD-AFEE-D0CA2192F4FA@roshambo.org> <4E1DC072.8080300@sugarcrm.com> <4E1DE20E.20902@sugarcrm.com> <4E1DEE7C.8030203@sugarcrm.com> <4E1DF484.6090806@sugarcrm.com> Date: Wed, 13 Jul 2011 22:00:42 +0200 Message-ID: To: "Moshe, Sam" Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [VOTE] 5.4 features vote From: tyra3l@gmail.com (Ferenc Kovacs) On Wed, Jul 13, 2011 at 9:50 PM, Moshe, Sam wrote: > I'm sure this has been discussed, but I'm new here, and uncertain as to > where to go to get caught up. > What's so wrong with magic quotes that they need to be removed from the > language entirely? > > Links of advice would be helpful. > Thanks. > for starters: http://php.net/manual/en/security.magicquotes.whynot.php http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-strin= g there are 3 major problems: - magic_quotes is magic, it is implicit, you didn't know or care about it, but if your code depends on it, but you didn't check that it is turned on or not, your code will be vulnerable in the new environment. - magic_quotes gives you a false sense of security, as it is uses addslashes, and that doesn't prevent the xss injections for example - addslashes can save you from the sql injection related vulnerabilities, but as it doesn't care about encodings and couldn't possibly know what are you using for you db connection, it can be circumvented: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-rea= l-escape-string so it is better that nothing, but isn't a 100% safe solution but it prevents the users from learning the proper way to secure their applications. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu