On Nov 19, 2010, at 6:45 PM, Stanley Sufficool wrote: > On Fri, Nov 19, 2010 at 8:14 AM, Daniel Convissor > <dani...@analysisandsolutions.com> wrote: >> On Fri, Nov 19, 2010 at 04:41:48PM +0100, Ferenc Kovacs wrote: >>> you can get pwn3d with magic_quotes_gpc = On >> >> That goes without saying. None the less, it will be problematic for PHP >> to disable/remove a "security" feature that some people rely on. > > Well then +1 for making the setting throw depreciated PHP startup > notifications when turned on with a link to suggested security > practices for SQL, exec(), passthru(), and other sensitive functions > benefiting from magic quotes.
Linking to a document sounds reasonable, but we already provide an E_DEPRECATED error when any magic quotes setting is enabled (as of 5.3.0), so the probable question here is if we should disable MQ by default (in 5.4) and remove it later (5.5 or 6.0), or simply remove it now. I lean towards disabling by default in 5.4, and removing in 6.0. > Also throw an E_NOTICE depreciated for the magic_quotes_gpc() function > as well for those that check if this setting is on/off. Punishing people who write compatible code feels wrong, so get_magic_quotes_gpc() should never emit an error. Heck, this harmless function might even exist in PHP 7. My guess is most people simply run stripslashes() if On, rather than avoid superior escaping mechanisms. > But please start the movement in the direction that this will be > removed in the future. I\'m having a difficult time grasping the exact implications here, except that a default value change mostly affects people without php.ini files. I\'m not sure who those people are, or how they may end up using PHP 5.4, but maybe a wiser old timer can predict this story. But for good measure: What we have already done with magic_quotes_gpc: ------- (Note: sister magic_quotes_runtime has always defaulted to Off) PHP 4, 5.0, 5.1, 5.2 - Default (On) - php.ini-dist (On) - php.ini-recommended (Off) PHP 5.3 - Default (On) - php.ini-development (Off) - php.ini-production (Off) - E_DEPRECATED error when On Distributions/vendors: - I\'m not sure which defaults they all use We\'ve recommended Off for a long time now (year ~2000) so should feel okay with whatever decision is made. But, our main focus is handling clueless code that magically works (sort of) thanks to magical quotes. Magic! Regards, Philip -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
