On Nov 17, 2010, at 9:40 PM, Larry Garfield wrote: > On Wednesday, November 17, 2010 11:19:05 pm Philip Olson wrote: >>> What are your inputs on this matter? >> >> I'm struggling with this topic. We must do something, but it's important to >> understand that plenty of people unknowingly rely upon this security >> feature that's still enabled by default. Granted 5.3 does generate >> E_DEPRECATED errors when magical quotes are enabled, but is one minor PHP >> version of errors enough to go from on to gone? >> >> So while those in the know (e.g., people who follow this list) find them >> annoying and wish they never existed, what are the implications? I'm still >> unsure how best to handle this situation but wanted to express these >> feelings now. Whatever the case, the education effort towards data >> filtering and sanitization requires a lot of improvement. >> >> Regards, >> Philip > > I won't miss magic quotes if they're removed, but I can see the argument for > saying "not quite yet". Off-by-default is absolutely necessary if they're > kept. (Dear god, you mean they aren't off by default already?) > > --Larry Garfield
This is true. And in addition to the E_DEPRECATED error, it's worth mentioning that 5.3 includes two optional php.ini-* files (php.ini-production and php.ini-development) that disable magic quotes. But of course not everyone uses these, and "default" is how PHP behaves without a php.ini file. Older versions of PHP include php.ini-dist (On) and php.ini-recommended (Off). Regards, Philip -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
