Hi, On Thu, 2010-11-18 at 11:20 -0500, Daniel Convissor wrote: > Disabling magic quotes by default leads to the same confusion and security > issues as removing them completely.
ACK > But, we can remove magic quotes > completely if we add a fail safe mechanism. Here are two potential > options: > > 1) Add taint support (http://news.php.net/php.internals/37209) and enable > it by default. This provides other security benefits, too. replace one magic which proved to be bad with another magic ... > or > > 2) Error out if using CGI or web SAPI and one of the following is true: > a) php.ini does not contain "magic_quotes_gpc = Off" > b) php.ini contains "magic_quotes_runtime = On" > c) php.ini contains "magic_quotes_sybase = On" > d) php.ini does not exist d) is no option. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
