I don't safe stuff relying on magic_quotes is safe but kicking it will
open up way more attack vectors... :-(
In my opinion, this isn't about opening attack vectors (one hole is
all it takes, so they're probably already vulnerable), but removing
mqgpc without fair warning to end users could open up plenty of
failure situations when the data is "trusted" and the developers
didn't strip/escape the [magic] quotes properly:
$_GET['search'] = "O'Reilly";
$sql = "select * from books where publisher = '" . $_GET['search'] ."'";
The above was never "safe", but it "worked" in a trusted environment
with mqgpc on. Removing it would cause a SQL error.
Note: I'm not condoning the use of mqgpc; just saying that disabling
it abruptly has potential for a lot of unintended breakage.
S
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
