On Wed, Nov 17, 2010 at 5:08 PM, Kalle Sommer Nielsen <ka...@php.net> wrote:

> Greetings
>
> I wanted to raise this topic before we go Alpha with trunk, regarding
> our beloved magic_quotes feature. There seems to be mixed opinions
> regarding it so I thought I would take it up for discussion.
>
> We have advised people not to use magic_quotes, register_globals and
> the like for years, and they were marked as deprecated in 5.3.0+ if
> activated through their php.ini directives. Yet magic_quotes still is
> set to "On" in 5.3.0. I think its worth we either remove the feature
> or disable it in trunk as its a security related feature. Lets have a
> look at what each of those options means:
>
> Removing magic_quotes):
> Means we will remove the feature entirely in the source, we will throw
> an E_CORE_ERROR if activated so people who have it enabled are forced
> to disable it and make their applications work without magic_quotes.
> This creates a minor issue for the hosts that simply disable it and
> have their customers applications run without them which can create a
> security risk for them, although it should be fairly limited. The
> functions to check for magic_quotes_runtime should however stay for BC
> to avoid applications that run on multiple versions of PHP from doing:
> if(function_exists('...') && ...)
>
> Disabling them):
> This will help to disable the spread of magic_quotes even more, and it
> can safely be removed in the next major version of PHP.
>
>
> My personal vote here goes towards removing them entirely.
>
>
> What are your inputs on this matter?
>
> --
> regards,
>
> Kalle Sommer Nielsen
> ka...@php.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
+1 for removing it.

Tyrael

Reply via email to