On Wed, Nov 17, 2010 at 11:40:37PM -0600, Larry Garfield wrote: > > I won't miss magic quotes if they're removed, but I can see the argument for > saying "not quite yet". Off-by-default is absolutely necessary if they're > kept. (Dear god, you mean they aren't off by default already?)
When opening my mouth on this list I often end up with my foot in it. Hopefully this isn't one of them... Disabling magic quotes by default leads to the same confusion and security issues as removing them completely. But, we can remove magic quotes completely if we add a fail safe mechanism. Here are two potential options: 1) Add taint support (http://news.php.net/php.internals/37209) and enable it by default. This provides other security benefits, too. or 2) Error out if using CGI or web SAPI and one of the following is true: a) php.ini does not contain "magic_quotes_gpc = Off" b) php.ini contains "magic_quotes_runtime = On" c) php.ini contains "magic_quotes_sybase = On" d) php.ini does not exist --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
