Bug #16480 Updated: strings should remember whether they are magic_quoted, htmlized or neither
ID: 16480
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.3.0
New Comment:
is it really that hard to write a few lines of code to check if
magic_quotes is enabled or not and addslashes() or stripslashes() your
variables as desired?
Previous Comments:
[2002-05-01 22:39:35] [EMAIL PROTECTED]
Bogus? BOGUS?!?! Whaddaya mean, bogus?! I'm offended!
;-) OK, I'm not. But Bugzilla's WONTFIX is certainly much more polite,
though just as disappointing.
Anyway, as the saying goes, talk is cheap but code is free. (Of course,
not all code is free and some talk can get you into prison...) Well,
the saying doesn't mention code, but after all, we're extending
languages, aren't we?
OK, I'm getting to the point. You can download the patch at:
http://nebuchadnezzar.zion.cz/php_strings.php
Try it, test it, read what I have to say about it, perhaps even use it,
make an opinion and tell me what it is! Just don't forget it's early
alpha, nearly untested code.
Sniper, why do you want to remove magic_quotes _and_ not implement
string types? That's cruel!
Is it a definitive and shared opinion that This feature is not the way
to go.? Has there been any debate? (Sorry, I'm not subscribed to the
mailing lists.) What do the other developers think? Have you even
seriously considered it?
[2002-04-19 11:20:40] [EMAIL PROTECTED]
Real solution is to remove those magic_* options altogether.
And write your code using the addslashes(), etc.
This feature is not the way to go.
[2002-04-09 13:42:45] [EMAIL PROTECTED]
Clarification: to preserve backward compatibility, string literals
without a string type specification would have an undefined or
unknown type and PHP wouldn't do any automatic conversion on them.
This makes it necessary to add a type specifier for normal,
non-escaped, non-HTMLized strings: n... or (NormalString)..., or
perhaps (PlainString)
[2002-04-07 19:09:06] [EMAIL PROTECTED]
Idea: any string should know whether AddSlashes (or magic quotes) or
HtmlSpecialChars or neither has been applied to it. Then you could have
functions declare what kind of string they expect as parameters and
what kind of string they return, and PHP would automatically do the
conversion. When writing string literals, one could indicate the type
by prepending a letter: q... for magic-quoted (or s... for added
slashes, which is the same), and h... for HTMLized string. When
including variables in a string literal, PHP would convert them, if
necessary, to the same string type as the literal. Then you could
write:
mysql_query(qINSERT INTO table VALUES('$var'));
and PHP would do the right thing regardless of whether $var has the
quotes escaped or not, because it would _know_ if it has, and escape
them if it has not.
The example for HTMLized string goes like this:
echo hINPUT TYPE=HIDDEN NAME=whatever VALUE=\$var\;
Of course, PHP would also have to correctly handle string
concatenations etc. - when you join several strings of different kinds,
it should convert all of them to the kind of the first one...
If you don't like the q... syntax, the same could be done with
typecasting: (EscapedString)... and (HTMLizedString)... - in fact,
it's probably better, because that way you could typecast any strings
(or any values, in fact), not just string literals.
I think it is a problem that now the behaviour of applications is
seriously dependent on PHP's configuration of magic_quotes - this would
solve it! (I.e. now, when I write a script that expects magic_quotes
on, it will have serious security holes when run with magic_quotes
off!)
Wow, isn't that a brilliant idea! ;-) (You can't expect praise from
anyone but yourself.)
--
Edit this bug report at http://bugs.php.net/?id=16480edit=1
Bug #16480 Updated: strings should remember whether they are magic_quoted, htmlized or neither
ID: 16480
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Bogus
+Status: Open
Bug Type: Feature/Change Request
Operating System: any
-PHP Version: 4.1.2
+PHP Version: 4.3.0
New Comment:
Bogus? BOGUS?!?! Whaddaya mean, bogus?! I'm offended!
;-) OK, I'm not. But Bugzilla's WONTFIX is certainly much more polite,
though just as disappointing.
Anyway, as the saying goes, talk is cheap but code is free. (Of course,
not all code is free and some talk can get you into prison...) Well,
the saying doesn't mention code, but after all, we're extending
languages, aren't we?
OK, I'm getting to the point. You can download the patch at:
http://nebuchadnezzar.zion.cz/php_strings.php
Try it, test it, read what I have to say about it, perhaps even use it,
make an opinion and tell me what it is! Just don't forget it's early
alpha, nearly untested code.
Sniper, why do you want to remove magic_quotes _and_ not implement
string types? That's cruel!
Is it a definitive and shared opinion that This feature is not the way
to go.? Has there been any debate? (Sorry, I'm not subscribed to the
mailing lists.) What do the other developers think? Have you even
seriously considered it?
Previous Comments:
[2002-04-19 11:20:40] [EMAIL PROTECTED]
Real solution is to remove those magic_* options altogether.
And write your code using the addslashes(), etc.
This feature is not the way to go.
[2002-04-09 13:42:45] [EMAIL PROTECTED]
Clarification: to preserve backward compatibility, string literals
without a string type specification would have an undefined or
unknown type and PHP wouldn't do any automatic conversion on them.
This makes it necessary to add a type specifier for normal,
non-escaped, non-HTMLized strings: n... or (NormalString)..., or
perhaps (PlainString)
[2002-04-07 19:09:06] [EMAIL PROTECTED]
Idea: any string should know whether AddSlashes (or magic quotes) or
HtmlSpecialChars or neither has been applied to it. Then you could have
functions declare what kind of string they expect as parameters and
what kind of string they return, and PHP would automatically do the
conversion. When writing string literals, one could indicate the type
by prepending a letter: q... for magic-quoted (or s... for added
slashes, which is the same), and h... for HTMLized string. When
including variables in a string literal, PHP would convert them, if
necessary, to the same string type as the literal. Then you could
write:
mysql_query(qINSERT INTO table VALUES('$var'));
and PHP would do the right thing regardless of whether $var has the
quotes escaped or not, because it would _know_ if it has, and escape
them if it has not.
The example for HTMLized string goes like this:
echo hINPUT TYPE=HIDDEN NAME=whatever VALUE=\$var\;
Of course, PHP would also have to correctly handle string
concatenations etc. - when you join several strings of different kinds,
it should convert all of them to the kind of the first one...
If you don't like the q... syntax, the same could be done with
typecasting: (EscapedString)... and (HTMLizedString)... - in fact,
it's probably better, because that way you could typecast any strings
(or any values, in fact), not just string literals.
I think it is a problem that now the behaviour of applications is
seriously dependent on PHP's configuration of magic_quotes - this would
solve it! (I.e. now, when I write a script that expects magic_quotes
on, it will have serious security holes when run with magic_quotes
off!)
Wow, isn't that a brilliant idea! ;-) (You can't expect praise from
anyone but yourself.)
--
Edit this bug report at http://bugs.php.net/?id=16480edit=1
Bug #16480 Updated: strings should remember whether they are magic_quoted, htmlized or neither
ID: 16480
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Bogus
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.1.2
New Comment:
Real solution is to remove those magic_* options altogether.
And write your code using the addslashes(), etc.
This feature is not the way to go.
Previous Comments:
[2002-04-09 13:42:45] [EMAIL PROTECTED]
Clarification: to preserve backward compatibility, string literals
without a string type specification would have an undefined or
unknown type and PHP wouldn't do any automatic conversion on them.
This makes it necessary to add a type specifier for normal,
non-escaped, non-HTMLized strings: n... or (NormalString)..., or
perhaps (PlainString)
[2002-04-07 19:09:06] [EMAIL PROTECTED]
Idea: any string should know whether AddSlashes (or magic quotes) or
HtmlSpecialChars or neither has been applied to it. Then you could have
functions declare what kind of string they expect as parameters and
what kind of string they return, and PHP would automatically do the
conversion. When writing string literals, one could indicate the type
by prepending a letter: q... for magic-quoted (or s... for added
slashes, which is the same), and h... for HTMLized string. When
including variables in a string literal, PHP would convert them, if
necessary, to the same string type as the literal. Then you could
write:
mysql_query(qINSERT INTO table VALUES('$var'));
and PHP would do the right thing regardless of whether $var has the
quotes escaped or not, because it would _know_ if it has, and escape
them if it has not.
The example for HTMLized string goes like this:
echo hINPUT TYPE=HIDDEN NAME=whatever VALUE=\$var\;
Of course, PHP would also have to correctly handle string
concatenations etc. - when you join several strings of different kinds,
it should convert all of them to the kind of the first one...
If you don't like the q... syntax, the same could be done with
typecasting: (EscapedString)... and (HTMLizedString)... - in fact,
it's probably better, because that way you could typecast any strings
(or any values, in fact), not just string literals.
I think it is a problem that now the behaviour of applications is
seriously dependent on PHP's configuration of magic_quotes - this would
solve it! (I.e. now, when I write a script that expects magic_quotes
on, it will have serious security holes when run with magic_quotes
off!)
Wow, isn't that a brilliant idea! ;-) (You can't expect praise from
anyone but yourself.)
--
Edit this bug report at http://bugs.php.net/?id=16480edit=1
Bug #16480 Updated: strings should remember whether they are magic_quoted, htmlized or neither
ID: 16480
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Feature/Change Request
Operating System: any
PHP Version: 4.1.2
New Comment:
Clarification: to preserve backward compatibility, string literals
without a string type specification would have an undefined or
unknown type and PHP wouldn't do any automatic conversion on them.
This makes it necessary to add a type specifier for normal,
non-escaped, non-HTMLized strings: n... or (NormalString)..., or
perhaps (PlainString)
Previous Comments:
[2002-04-07 19:09:06] [EMAIL PROTECTED]
Idea: any string should know whether AddSlashes (or magic quotes) or
HtmlSpecialChars or neither has been applied to it. Then you could have
functions declare what kind of string they expect as parameters and
what kind of string they return, and PHP would automatically do the
conversion. When writing string literals, one could indicate the type
by prepending a letter: q... for magic-quoted (or s... for added
slashes, which is the same), and h... for HTMLized string. When
including variables in a string literal, PHP would convert them, if
necessary, to the same string type as the literal. Then you could
write:
mysql_query(qINSERT INTO table VALUES('$var'));
and PHP would do the right thing regardless of whether $var has the
quotes escaped or not, because it would _know_ if it has, and escape
them if it has not.
The example for HTMLized string goes like this:
echo hINPUT TYPE=HIDDEN NAME=whatever VALUE=\$var\;
Of course, PHP would also have to correctly handle string
concatenations etc. - when you join several strings of different kinds,
it should convert all of them to the kind of the first one...
If you don't like the q... syntax, the same could be done with
typecasting: (EscapedString)... and (HTMLizedString)... - in fact,
it's probably better, because that way you could typecast any strings
(or any values, in fact), not just string literals.
I think it is a problem that now the behaviour of applications is
seriously dependent on PHP's configuration of magic_quotes - this would
solve it! (I.e. now, when I write a script that expects magic_quotes
on, it will have serious security holes when run with magic_quotes
off!)
Wow, isn't that a brilliant idea! ;-) (You can't expect praise from
anyone but yourself.)
--
Edit this bug report at http://bugs.php.net/?id=16480edit=1
