On Apr 16, 2010, at 2:01 AM, Johannes Schlüter wrote: > On Fri, 2010-04-16 at 11:43 +0300, Arvids Godjuks wrote: >> You must have been flying somethere in the Andromeda galaxy all this time! >> >> magic_quotes, safe_mode and other stuff was announced depricated now for a >> few years, there is big buzz going on about it and these features are >> allready marked as depricated and throw warnings as of 5.3, some even as off >> 5.2. It's hard to miss articles, announce, conferences and numerous blog >> entries literally from any PHP developer who has a blog that these features >> are to be droped. > > Go to a random hosting site and look at there configuration - magic > quotes will be enabled. Look at some (not all) distributor packages - > magic quotes will be on. Many of them won't see it as it's "hidden" in > an error log which barely anybody read. Yes you do. You also read this > list. But that's a minority of our users. Most don't follow the > development closely. Most don't read blogs. Most don't know about > php.ini. Most don't know about security. > > The people we interact with are just the tip of the iceberg. Most PHP > users are hidden on the internet. > > I would love to get rid of this "feature" but I fear that many users > won't notice and i don't know how to tell them.
And a related issue is that magical quotes are still enabled by default in PHP, and removing a security feature that was enabled by default is not a simple matter. Not sure if disabling it by default (in trunk) is a preferred intermediate step, but it's possible. Regards, Philip -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
