On Fri, Nov 19, 2010 at 10:36 PM, Philip Olson <phi...@roshambo.org> wrote: > > On Nov 19, 2010, at 6:45 PM, Stanley Sufficool wrote: >> On Fri, Nov 19, 2010 at 8:14 AM, Daniel Convissor >> <dani...@analysisandsolutions.com> wrote: >>> On Fri, Nov 19, 2010 at 04:41:48PM +0100, Ferenc Kovacs wrote: >>>> you can get pwn3d with magic_quotes_gpc = On >>> >>> That goes without saying. None the less, it will be problematic for PHP >>> to disable/remove a "security" feature that some people rely on. >> >> Well then +1 for making the setting throw depreciated PHP startup >> notifications when turned on with a link to suggested security >> practices for SQL, exec(), passthru(), and other sensitive functions >> benefiting from magic quotes. > > Linking to a document sounds reasonable, but we already provide an > E_DEPRECATED error when any magic quotes setting is enabled (as of 5.3.0), so > the probable question here is if we should disable MQ by default (in 5.4) and > remove it later (5.5 or 6.0), or simply remove it now. I lean towards > disabling by default in 5.4, and removing in 6.0. > >> Also throw an E_NOTICE depreciated for the magic_quotes_gpc() function >> as well for those that check if this setting is on/off. > > Punishing people who write compatible code feels wrong, so > get_magic_quotes_gpc() should never emit an error. Heck, this harmless > function might even exist in PHP 7. My guess is most people simply run > stripslashes() if On, rather than avoid superior escaping mechanisms.
I retract my assertion that get_magic_quotes_gpc() throw anything. ;-) > >> But please start the movement in the direction that this will be >> removed in the future. > > I\'m having a difficult time grasping the exact implications here, except > that a default value change mostly affects people without php.ini files. I\'m > not sure who those people are, or how they may end up using PHP 5.4, but > maybe a wiser old timer can predict this story. But for good measure: > > What we have already done with magic_quotes_gpc: > ------- > (Note: sister magic_quotes_runtime has always defaulted to Off) > > PHP 4, 5.0, 5.1, 5.2 > - Default (On) > - php.ini-dist (On) > - php.ini-recommended (Off) > > PHP 5.3 > - Default (On) > - php.ini-development (Off) > - php.ini-production (Off) > - E_DEPRECATED error when On > > Distributions/vendors: > - I\'m not sure which defaults they all use > > We\'ve recommended Off for a long time now (year ~2000) so should feel okay > with whatever decision is made. But, our main focus is handling clueless code > that magically works (sort of) thanks to magical quotes. Magic! FWIW, My SQL Server code doesn't magically work with this setting on, I just get a bunch of crappy "quote\\\\\\\\\\\'s " values after several iterations. > > Regards, > Philip > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
