On Fri, Apr 16, 2010 at 12:51:23AM +0200, Johannes Schlter wrote: > > Removing magic_quotes would be soooooooooooo great. BUT the issue is > that most users don't know about it. Many applications are more or less > secure due to its existence. The apps aren't fully secure but a few less > vectors.
One way to remove magic_quotes without opening massive quantities of security holes would be implementing taint mode support (http://wiki.php.net/rfc/taint) and having the default taint_error_level be E_FATAL. Yes, this creates a painful upgrade path for the multitudes using insecure coding practices. But it will hurt a lot less than having their applications inadvertently subverted by hackers/crackers/spammers/etc due to upgrading PHP. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
