Lars Torben Wilson wrote: > On Sat, 2002-02-16 at 18:01, Yasuo Ohgaki wrote: >> Yasuo Ohgaki wrote: >> > Stefan Esser wrote: >> > > Hmmm btw... This idea just came to my mind and i don't know if it >> > would be >> > > too much overhead, but what about keeping track of what variables >> > > got already magically quoted and do not quote them again if the >> > > script >> > wants it. >> > >> > This idea sounds nice to me :) > > The WTF factor for that would be off the scale. Think about how many > bug reports about addslashes() not working we'd have to bogusify. >
This is a huge security factor, though, so wouldn't it be worth it to make new functions, for instance magic_slash() and magic_unslash(), that depend on the magic quotes setting for whether they actually add/strip slashes. That way security conscious scripts can be written easily without any worry about the end users environment either screwing up the script or making it insecure. This would hopefully eliminate the WTF factor. -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
