It's not a matter of version of Joomla, but rather philosophy of PHP developers.
Turning magic quotes on sanitizes variables automatically so they have less potential for causing database injection attacks. Initially, this was suggested as "more secure" because it means the programmer doesn't have to sanitize the data. Then the problem is that big apps[like Joomla] get installed on lots of different platforms, so you can't count on it being turned on. What is worse, is that you have to use 2 different lines of code for retrieving variables based on whether magic quotes is on or off. So when you have software which can be deployed on platforms you have no control over, now one line of code has become 4, because you have to do an if/else clause for every variable retrieval. So what was initially created to aid programmers in being lazy now causes more work for programmers. Hence programmers forced to do more work inaccurately will say it is less secure because their doing more work. The long and the short of it is, magic quotes has no impact on server security. It's the PHP programming that will have that impact. On Sat, Oct 24, 2009 at 3:46 PM, David A. Roth <davidalanr...@gmail.com>wrote: > > So my big question for this wet Saturday afternoon is, should this be > OFF for all modern installations of Joomla, or it isn't a security > issue anymore? > > Yes, I plan to upgrade all the Joomla web sites to the latest. I > presume the best way to do this is follow the chain of patches? > > > Actually, no you can't upgrade from 1.0 to 1.5 - instead you migrate. Depending on how many components you have this may or may not be painful. The way we did it recently was to create a dev snapshot of a production system. Then installed the migrator component to export all the base joomla stuff. Then we created another dev site and installed 1.5 onto it, importing the migration file during setup. Then we enabled the legacy mode plugin. I copied over the tables for some existing components[advanceSEF and Zoomgallery] and then installed the latest versions of those components to the 1.5 site. We copied over the contents of the 1.0 templates directory and those worked in 1.5 with legacy enabled. Than we updated the templates to 1.5 and turned off legacy mode. Finally once we were sure the site was correct, the dev site was backed up and restored to production.
_______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
