Perhaps I have missed something in this discussion where such a change to PHP does not break every single application that is supposed to pass raw, user submitted, SQL *without* getting prepared/nerfed, or warned about, by intentional application design.
If we're just limiting the nerfing for submitted GPC variables (since PHP is used a lot for web applications).... we still have a non-trivial number of those installed applications which require raw, user created, unescaped SQL, passing through to function as designed. I am thinking of the class of applications like phpMyAdmin, as well as the the millions of other database utility scripts, application install scripts, (etc.) out there that perform similar tasks, that need to pass raw SQL, as crafted by users, without preparation, intentionally. Of course, we could just add a "bypass_the_nerfing()" function, and such a function could then possibly see widespread adoption, everywhere, rendering the entire exercise moot.
