Table of Contents

Request for Comments: Magic Quotes in PHP, the Finalé

Introduction

Magic Quotes needs to be done away with. This needs to be done in a safe, orderly manner.

Common Misconceptions

1) Magic Quotes are already off. While they are set to off in our distributed php.ini files, they are on by default in PHP itself.

2) Magic Quotes already raise an E_DEPRECATED message. The message is only raised when explicitly setting “magic_quotes_* = On.” People on systems using PHP's default values do not get any warning about Magic Quotes being deprecated.

3) Magic Quotes isn't a safety feature. Yes, administrators and programmers relying on this feature are misguided. None the less, there are people (unknowingly) relying on this behavior to escape their SQL statements. Turning it off by default without explicitly warning users via the language itself will open security holes.

Proposal

5.4

trunk (5.4 + 1 major release)

5.4 + 2 major releases

“removal” What do people think should happen here? Please discuss.

References

Changelog