Well, people turn on safe mode just because the name implies that things are safe too - which is wrong. I agree with Ilia, we should not mangle request data by default. It's fine to provide filter functions but the normal post/get/cookie data should be normally available through GET and POST - this is starting to look like another magic_quotes. A bad thing!
Besides that turning on by default could turn out to become a major BC.
I have never suggested it should be on by default. I specifically stated that it shouldn't be on by default. And of course it could break certain applications if you turn it on. When you look at web apps out there you see elaborate schemes to filter input data that are often wrong. And even if they are right, they forgot to filter the state drop-down select list, for example. I mean they only provided a bunch of 2-letter state abbreviations for the user to choose between so they don't think to filter that particular field. You'd be amazed how many places you can spoof a form and send state=CA<javascript hack> back to it. We need a way to apply a default security policy for all input data which can then be loosened for specific fields, like the text area field of a forum application. Think of it in firewall terms. A decent firewall starts with everything blocked and then you poke a few holes in it where you need them. A firewall which has everything open by default and you have to specifically block individual ports you think may be evil yourself is never going to be anywhere near as effective.
TCP/IP Firewalls break all sorts of applications as well until either the application is modified to poke a hole in the firewall itself via upnp, or you reconfigure the firewall. This makes firewalls annoying, but they are necessary. This is exactly the same thing. It is a data firewall for PHP. You don't have to use it, but people want it and need it.
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
