Re: [PHP-DEV] Disable magic quote by default.
magic_quotes_by_default is a nice way to make scripts (written by novices) safer. Unfourtunately mqbd forces you to write unsecure scripts. If you put such scripts onto a server that doesnt have mqbd they are insecure. From my point of view enabling mq by default was a very very bad idea, cause its the wrong way to fight unsecure scripts. People must learn what they have to do and what they have not to do. Anyway it would be even worse to disable mq by default in the next release. It breaks not many scripts I guess, but it would break their security, because most scripts are not designed to work without mqbd today. Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. Stefan Esser -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Snapshot binary release...
Hi, Could it be possible to package a Windows Snapshot Binary Release? People again and again have header() problems and as long they are using some form of unix i can tell them to patch the one line into it. But i doubt a standard windows user has the build utilities and the skills to compile it. I write this while reading #8744. Because it sounds like another occurence of the uninitialised variable problem in SAPI.c. Stefan -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] socket_send() ...also a bug?
It's documented on http://www.php.net/manual/en/zend.arguments.retrieval.php It's a kind of promoting binary safety. Not the passed number of parameter passed to zend_parse_parameters() is important but what modifies are used to describe the parameters. Since a string is not only meant to be characters from A-Z but in fact can be anything including binary data, it's a good idea [tm] to always get the point to the string AND it's length and work with both when making further function calls (if possible). On Sat, Feb 16, 2002 at 03:08:06AM +0100, Richard Samar wrote : Sean R. Bright wrote: len is the length of the buffer. When 's' is specified in zend_parse_parameters, both the string and the number of characters are returned to the calling function. In this case, len is the length of 'buf_len.' :-) oki, the given prototype ist wrong then. could you post me an example. I dont understand 's'. thx best regards -moh -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP Tag Libraries
On Sat, Feb 16, 2002 at 01:33:43AM +0100, Alexander Feldman wrote : It is strange that such an issue had not been discussed here in the past (or maybe I have missed the mails as I don't follow very regularly the list). You seem to have missed it, where was something about this topic during the last monthes. Btw, as long as the implemention isn't in C (it's not quite clear from your mail to me) but in PHP it's offtopic anyway and should better be directed to php-general or pear-* if you want to contribute. -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP Tag Libraries
On Sat, Feb 16, 2002 at 01:33:43AM +0100, Alexander Feldman wrote : It is strange that such an issue had not been discussed here in the past (or maybe I have missed the mails as I don't follow very regularly the list). You seem to have missed it, where was something about this topic during the last monthes. Will search the archives... Btw, as long as the implemention isn't in C (it's not quite clear from your mail to me) but in PHP it's offtopic anyway and should better be directed to php-general or pear-* if you want to contribute. No, no - the implementation is in C (I don't think that this can be done in PHP only), however it is still under construction, hence I've not posted here the patches. In my previous mail I wanted only to show how it'll look like for the end-user and to ask for the comments of the community... Rgds: Alex -- Please always Cc to me when replying to me on the lists. GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] CVS Account Request: artemus
Obtain CVS account. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] CVS account requests
I was thinking it might be reasonable to a request that a person asking for a CVS account should first present a small contribution. For example, someone interested in translating documentation should submit a translated chapter with their account request, or a person that wants to work on the code should first submit at least one patch or reference some of their bug reports. Would this be going too far? -- Jon Parise ([EMAIL PROTECTED]) . Information Technology (2001) http://www.csh.rit.edu/~jon/ : Computer Science House Member -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] CVS account requests
Eh kind of gives the feeling of doing the work without reaping the benefits to me. Or maybe I'm just too negative. On Sat, 16 Feb 2002, Jon Parise wrote: I was thinking it might be reasonable to a request that a person asking for a CVS account should first present a small contribution. For example, someone interested in translating documentation should submit a translated chapter with their account request, or a person that wants to work on the code should first submit at least one patch or reference some of their bug reports. Would this be going too far? --- Dan KalowskyTonight I think I'll walk alone. http://www.deadmime.org/~dankI'll find soul as I go home. [EMAIL PROTECTED]- Temptation, New Order -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] CVS Account Request: bernardojts
I'm using PHP and I think this is a great resource to web programmers since it supports lots of libraries you can work with. Thinking in this I wanted to thank PHP developers in some way and so, to help brazilian and portuguese PHP users and train my english I want to translate PHP documentation to portuguese, since its translation is very incomplete. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Disable magic quote by default.
Stefan Esser wrote: magic_quotes_by_default is a nice way to make scripts (written by novices) safer. Unfourtunately mqbd forces you to write unsecure scripts. If you put such scripts onto a server that doesnt have mqbd they are insecure. This is true. I bet many novice writes insecure scripts. It may not be good idea for PHP 4.2 :( I'll add more description to http://www.php.net/manual/en/security.variables.php and try again for PHP5. Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. This idea sounds nice to me :) -- Yasuo Ohgaki -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Disable magic quote by default.
Yasuo Ohgaki wrote: Stefan Esser wrote: magic_quotes_by_default is a nice way to make scripts (written by novices) safer. Unfourtunately mqbd forces you to write unsecure scripts. If you put such scripts onto a server that doesnt have mqbd they are insecure. This is true. I bet many novice writes insecure scripts. It may not be good idea for PHP 4.2 :( I'll add more description to http://www.php.net/manual/en/security.variables.php and try again for PHP5. Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. This idea sounds nice to me :) Forgot to ask if anyone objects to make magic qoutes off by default for PHP5. Anyone? -- Yasuo Ohgaki -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Disable magic quote by default.
On Sat, 2002-02-16 at 18:01, Yasuo Ohgaki wrote: Yasuo Ohgaki wrote: Stefan Esser wrote: magic_quotes_by_default is a nice way to make scripts (written by novices) safer. Unfourtunately mqbd forces you to write unsecure scripts. If you put such scripts onto a server that doesnt have mqbd they are insecure. This is true. I bet many novice writes insecure scripts. It may not be good idea for PHP 4.2 :( I'll add more description to http://www.php.net/manual/en/security.variables.php and try again for PHP5. Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. This idea sounds nice to me :) The WTF factor for that would be off the scale. Think about how many bug reports about addslashes() not working we'd have to bogusify. -1 Forgot to ask if anyone objects to make magic qoutes off by default for PHP5. Anyone? +1 -- Yasuo Ohgaki -- Torben Wilson [EMAIL PROTECTED] http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Disable magic quote by default.
Lars Torben Wilson wrote: On Sat, 2002-02-16 at 18:01, Yasuo Ohgaki wrote: *SNIP* The WTF factor for that would be off the scale. Think about how many bug reports about addslashes() not working we'd have to bogusify. -1 I agree. That's why I thought it may be better to wait until PHP5 and I promised to edit the manual now ;) In PHP5, there are compatibility issues anyway. IMHO, magic quote is handly for very simple applications but not for more complex applications. It's also not a recommended way to rely on to secure code. I guess majority of PHP application developers are willing to get rid of magic_quote_gpc=On support from thier code. Anyone willing to maintain compatibility for magic_quote_gpc=On setting for your scripts? Any comments? -- Yasuo Ohgaki -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: Disable magic quote by default.
Lars Torben Wilson wrote: On Sat, 2002-02-16 at 18:01, Yasuo Ohgaki wrote: Yasuo Ohgaki wrote: Stefan Esser wrote: Hmmm btw... This idea just came to my mind and i don't know if it would be too much overhead, but what about keeping track of what variables got already magically quoted and do not quote them again if the script wants it. This idea sounds nice to me :) The WTF factor for that would be off the scale. Think about how many bug reports about addslashes() not working we'd have to bogusify. This is a huge security factor, though, so wouldn't it be worth it to make new functions, for instance magic_slash() and magic_unslash(), that depend on the magic quotes setting for whether they actually add/strip slashes. That way security conscious scripts can be written easily without any worry about the end users environment either screwing up the script or making it insecure. This would hopefully eliminate the WTF factor. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
