For the 18th time, nobody is talking about enabling it by default.
-Rasmus
Ron Korving wrote:
Exactly right! Who knows what I'm gonna do with my input? - html output? - text output? - pdf output? - stdout or stderr output? - binary output? - <whatever> output? - file i/o? - mysql query? - mssql query? - db2 query? - encryption?
It is a BIG mistake to just assume any of these. And how about the values I get from files or database queries? They're not filtered. So what is stopping me from outputting potentially bad data from another source than $_GET or $_POST?
It is a very very bad thing to assume.
It's just like what happened with magic_quotes_gpc... People assumed (god knows why) that every $_GET or $_POST var was going to be used in a MySQL query. Awful judgement by the one who called that. If you, for example, use both the MSSQL and MySQL extension at the same time you had an even bigger problem, because both escape strings in their own ways.
Please, don't make php.ini decide what I can and cannot do with my data. Now I know it's only a default, but it will mean I'm going to have to consider that this default could be anything on a given server and therefor code my way around the default at all times. Security is good, but this has the potential to to be a huge pain in the ass. Don't make a not-very-easy-to-reverse mistake.
Ron
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php