Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70675 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19726 invoked from network); 16 Dec 2013 20:54:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2013 20:54:54 -0000 Authentication-Results: pb1.pair.com header.from=adam@adamharvey.name; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=adam@adamharvey.name; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain adamharvey.name designates 209.85.213.173 as permitted sender) X-PHP-List-Original-Sender: adam@adamharvey.name X-Host-Fingerprint: 209.85.213.173 mail-ig0-f173.google.com Received: from [209.85.213.173] ([209.85.213.173:45005] helo=mail-ig0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 23/7F-32483-D986FA25 for ; Mon, 16 Dec 2013 15:54:53 -0500 Received: by mail-ig0-f173.google.com with SMTP id uq10so4679927igb.0 for ; Mon, 16 Dec 2013 12:54:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adamharvey.name; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=P4U/In82a9dOuuI0z+1a3h93R1JU8srvmZ7QFQQLwC4=; b=DXjSsc8qD3NvoF+4jVCJBvqYfUBo6SImni/I22v1RGkkmHCpiKMIuG0u2xqxO7L3OD TYgDPAFvB5w8URsoHmqXQIwfOYLpJASk1Vn0qxZXCS1bX5GBAf+EnALpPAL8AflYkcDA hxKDVY8L0TRqHHFPdvMBT7+j3bY0i0VTeN9lQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=P4U/In82a9dOuuI0z+1a3h93R1JU8srvmZ7QFQQLwC4=; b=g/h5Fmx3fsydPDe4zQcvm5OkH/MmxK1pRp179MygWlcDli4Cj0iJfJ5vv/bvZ+GaRI 3lwiVUepb7aeJA/ZRT+QM/ZKGt9eziDxxIAtywUnw9+QxsEWJeLCNHF6qIKwQAzWo38k di/N2iakByNUzd5uFoQlHtfWiuGj9w2n7nQQ0rCecgcQEn+DPi5vZD2pK1DMEvx12KuF 4Wxy21sjwwh1z/jZ9pbhFV6fZVYnkOOWmR+zNvLAMn9336MMMO60dGs0jjeF2OAeclCG lRvbAju29Ee1oaMnx2wfrGBopDTI1tNl9pBPi5rt+5NbK6esCjcEAF6rWUYA5i98heUK cMQQ== X-Gm-Message-State: ALoCoQkyUvZKS5RbD7AVWEVXYOJnBmzzFVs3c/XK7wBg3O0o1V+zVoE/6VOP3zk7FRitNlzerW7y X-Received: by 10.50.141.133 with SMTP id ro5mr16447162igb.35.1387227290786; Mon, 16 Dec 2013 12:54:50 -0800 (PST) MIME-Version: 1.0 Sender: adam@adamharvey.name Received: by 10.42.206.208 with HTTP; Mon, 16 Dec 2013 12:54:30 -0800 (PST) In-Reply-To: References: Date: Mon, 16 Dec 2013 12:54:30 -0800 X-Google-Sender-Auth: M4zFsl5s-D4XdKf49MY4zsvDT_E Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: Making addslashes() multibyte aware From: aharvey@php.net (Adam Harvey) On 16 December 2013 12:44, Yasuo Ohgaki wrote: > I don't think locale based MBCS support is optimum, but I'll add it to > addslashes() for now. I don't think basing behaviour on the locale is a great idea (as evidenced by the various issues with Turkish and Azeri over the years). Could we just add an explicit encoding parameter like htmlspecialchars()? > Question is where should I start? > It's security issue for certain char encodings such as SJIS/BIG5. Is there a case other than database access (where we've been directing users to better APIs like PDO and mysqli for several years, at least) where this is likely to cause security issues? > I'll fix php_addslashes(). Therefore, any functions that use it internally > are affected. e.g. var_export(), etc. Users are not affected as long as > they are using correct locale. > > Should I fix this from 5.3? This feels like it has the potential to be a really nasty implicit BC break. I don't think we'd want to change default behaviour on any stable branch, honestly. Adam