On Thu, 2010-11-18 at 15:40 +0800, Adam Harvey wrote:
> Yes, killing magic quotes will likely increase the support workload
> for a time,
I don't think it would increase support workload. Most people won't
notice.
What happens is that applications which are _a bit_ secure now will
continue to run as before but become _completely_ insecure as there,
unfortunately, are many users who don't know about the different issues.
Code like
mysql_query("SELECT id FROM table WHERE name = '".$_GET['name']."'");
is not too easy to exploit right now. As soon as m_q is gone it's
trivial to exploit. And people won't notice. And lots of such code
exists. Maybe not with internals subscribers, but there are enough
people who learned programming just last week using PHP and have the $1
hosting package ... and many of these things live "forever".
I think the default can only be changed in a change which breaks "a
lot".
To be clear: I am NOT saying that m_q is secure or safe. But dropping it
lowers he bar quite a lot.
johannes, who said this in multiple threads before ;-)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
