Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54072
Return-Path: <rquadling@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57095 invoked from network); 19 Jul 2011 10:14:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Jul 2011 10:14:52 -0000
Authentication-Results: pb1.pair.com header.from=rquadling@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=rquadling@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: rquadling@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:40677] helo=mail-qy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/30-53425-B19552E4 for <internals@lists.php.net>; Tue, 19 Jul 2011 06:14:52 -0400
Received: by qyg14 with SMTP id 14so2073862qyg.8
        for <internals@lists.php.net>; Tue, 19 Jul 2011 03:14:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:reply-to:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=s2TRVPKVMbWe4KBCBI75LW7Tn5WaoQDiG9NHfPElQEg=;
        b=N/jDOmAVSRosX6u7uQhIXalT1aoBTJKUAMtKACMM2ljuzrYZpCsNBiIze0D3DhqRsP
         Jx2oZNEsx7l+Isd9ZqpeGsjDZFWcbJRuFAfOzuNaWOv2Umm3dLXjPVZaZUubQhV0pIGL
         JUFMVQILPYtr0x2TBpi95AS9rtnnnwzPWOuq8=
Received: by 10.229.227.136 with SMTP id ja8mr5797635qcb.75.1311070489070;
 Tue, 19 Jul 2011 03:14:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.87.70 with HTTP; Tue, 19 Jul 2011 03:14:29 -0700 (PDT)
Reply-To: RQuadling@GMail.com
In-Reply-To: <4E2546F8.1050707@thelounge.net>
References: <20110718143939.GB23368@panix.com> <alpine.DEB.2.02.1107181721370.25471@whisky>
 <4E24B7AA.20309@gmail.com> <4E24BD03.9040108@thelounge.net>
 <CAH-PCH7kCUArcrKbKsyUse+RfrSsGJ3Sd-vrsQGR9=xKqJfeyg@mail.gmail.com>
 <4E2529DD.4050104@thelounge.net> <CAH-PCH43NGNqrkte-=66sCQvptNZ1BEvmu8WxTUyrSOkUDn6gQ@mail.gmail.com>
 <4E253E98.9070405@thelounge.net> <4E254325.40701@lsces.co.uk> <4E2546F8.1050707@thelounge.net>
Date: Tue, 19 Jul 2011 11:14:29 +0100
Message-ID: <CAKUjMCXptF_HpYufaOgd4VdjGYyGdhugB6baZHaPSmDy4q8=Ww@mail.gmail.com>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] Magic Quotes in PHP, the Finalle
From: rquadling@gmail.com (Richard Quadling)

On 19 July 2011 09:57, Reindl Harald <h.reindl@thelounge.net> wrote:
> anybody who maintains a server should make a explicit config
> and not relying on random defaults

Consider me told. Amazed that a 2 year old deprecation notice is still
outstanding, but told all the same.

I think, rather than having "production" and "development", we need
"best practise". And these ini files only contain the things needed to
alter the default settings.

Currently, the production and development ini files cover ALL the
settings. Consider what has been said about the shared hosters - they
don't read stuff to help themselves. They simply install, choose a ini
file (maybe) and they're done. Having it so that they have to read ini
files, release notes, etc. ... well, fast buck === short cut
somewhere.

If there was an approved "best practice" INI file which only covered
the changes to the defaults, this would be a fast win for PHP in that
we can say that this really is all you need to know about how PHP has
moved on in the defaults department. Sure, we used to use magic
quotes. Now we don't. Best practice would specifically imply potential
BC. Exactly because the position has changed. So, any errors due to an
ini setting in the "best practice" file is a big warning straight
away.


As it stands :

A - Some of the defaults don't get altered anywhere. The defaults work
and are carried through to the INI files, making the entries in the
INI files redundant and possibly dangerous if PHP then changes the
defaults.
B - Some of the defaults are overriden based upon environment. That's
also fine but if the values are changed in both production and
development, then the default is wrong and should be changed to match
what is currently being used in the INI filles

I suppose it is all about trying to keep the most people happy. The
bleeding-edge want safe, secure and fast runtime where the defaults
are right and the minimum amount of changes is needed to tune to the
environment (sapi and extension mainly I'd say). The hosters want the
least number of support issues - so bugger security, let's keep all
those bad practices and ini settings.

I think a minimal php.ini-best-practice would certainly highlight this
to the hosters.


-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea