2010/11/18 Zeev Suraski <z...@zend.com>:
> The voice of reason...
> As much as I'd like to see magic quotes burning in hell (had the option to
> kill them when they were small, but unfortunately didn't), I'm wondering
> whether the people +1'ing are thinking about the potential consequences to
> doing this, and if they're also volunteering to respond (nicely!!) to the
> endless complaints, flames, and just general "what happened???!!!" mailing
> list emails that may flood us when this happens. With 6.0, we talked about
> having prepend-scripts that emulate magic quotes available, since like it or
> not - there are probably billions of lines of code out there that rely on the
> existence of magic quotes.
> I don't have a strong opinion on whether we should remove magic quotes
> altogether in 5.4 and provide emulation instructions, or just disable it by
> default as a first step.
I think we either should kill it or disable it now and remove it in
the next major version of PHP, be that 5.5 or 6.0. I don't think we
should provide emulation instructions, but rather some improved
chapters in the manual about what they are, how they work and how to
make sure applications are "protected" / compatible against them, so
even the basis PHP developer takes it into consideration.
Because even doing: $mysqli->query('SELECT * FROM `developers` WHERE
`username` = \'' . $_GET['username'] . '\'); is bad with or without
magic_quotes, theres a security issue non the less if people are
writing code like that.
I think we need to better educate our developers about these features,
and I wouldn't mind writing some manual pages regarding this we can
advertise with the release. Or at least find out how big a problem
with would be, because there are still many companies with legacy code
applications running an ancient version of PHP and never would upgrade
or similar reasons.
But all in all, I think it depends on us advertising it properly in
the manual, how to deal with it that is.
--
regards,
Kalle Sommer Nielsen
ka...@php.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
