On 17 November 2010 16:08, Kalle Sommer Nielsen <ka...@php.net> wrote:
> Greetings
>
> I wanted to raise this topic before we go Alpha with trunk, regarding
> our beloved magic_quotes feature. There seems to be mixed opinions
> regarding it so I thought I would take it up for discussion.
>
> We have advised people not to use magic_quotes, register_globals and
> the like for years, and they were marked as deprecated in 5.3.0+ if
> activated through their php.ini directives. Yet magic_quotes still is
> set to "On" in 5.3.0. I think its worth we either remove the feature
> or disable it in trunk as its a security related feature. Lets have a
> look at what each of those options means:
>
> Removing magic_quotes):
> Means we will remove the feature entirely in the source, we will throw
> an E_CORE_ERROR if activated so people who have it enabled are forced
> to disable it and make their applications work without magic_quotes.
> This creates a minor issue for the hosts that simply disable it and
> have their customers applications run without them which can create a
> security risk for them, although it should be fairly limited. The
> functions to check for magic_quotes_runtime should however stay for BC
> to avoid applications that run on multiple versions of PHP from doing:
> if(function_exists('...') && ...)
>
> Disabling them):
> This will help to disable the spread of magic_quotes even more, and it
> can safely be removed in the next major version of PHP.
>
>
> My personal vote here goes towards removing them entirely.
>
>
> What are your inputs on this matter?
>
> --
> regards,
>
> Kalle Sommer Nielsen
> ka...@php.netCertainly +1 for removal, but wasn't there some discussion a LONG while ago about when this should be? I would have thought that anything deprecated would best be removed at the next major release. So that makes it gone for V6 - when ever that may be. Richard -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
