On 6/21/06, Tyson Tate <[EMAIL PROTECTED]> wrote: > Oh - I haven't heard of the magic_quotes fiasco. Do you have any > links or more information about this? If it blew up for the PHP > folks, I think I'd be prone to changing my position on the issue.
The magic_quotes setting in PHP is a "feature" which attempted to automatically escape input data. The theory was that it would prevent SQL injection attacks (which were and still are a common form of attack against database-backed applications) by escaping data before storage. In reality, however, it proved to be a nightmare for application developers; you never knew if a particular host's setup would have magic_quotes on or off, and there were actually *two* commonly used settings and a third less-common one which could enable various forms of escaping. Before you could even think about looking at data your program received, you had to test for these settings to figure out what sort of escaping PHP was "helpfully" doing for you. It's led to an interesting situation where, despite being turned on by default in PHP, the official documentation recommends turning it off. Supposedly, PHP6 will finally send magic_quotes to the grave. -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
