Request for Comments: Magical Quotes in PHP
- Version: 1.0
- Date: April 15, 2008
- Last updated: April 16, 2008
- Author: Philip Olson firstname.lastname@example.org
- Status: Accepted
- Note: This RFC is about PHP 6.0 (our old HEAD/Trunk) and NOT PHP 5.4
- First Published at: http://wiki.php.net/rfc/magicquotes
- Followed up by: magicquotes_finale for PHP 5.4
This has been discussed a few times, with mixed results, so here is a proposal that deals with Magical Quotes starting with PHP 5.3.0. The purpose of this RFC is to safely deprecate the use of magical quotes as of PHP 5.3.0, and remove as of PHP 6.0.0.
All here agree that magic quotes is not the best solution to any problem, and that people should stop using them. However, people use them. And other people simply leave them on. And even others check for them.
Getting versus Setting
A key distinction exists between getting and setting magic quotes. The getting should remain as okay, whereas the setting should be deprecated, yelled at, and removed. This is an important distinction to realize when evaluating this topic.
So when speaking of E_DEPRECATED and the removal of magic quotes, we speak of the setting and not the getting of said setting. So to be clear, the following code should work in PHP 6 by emitting zero errors:
<?php get_magic_quotes_gpc(); // returns false get_magic_quotes_runtime(); // returns false ?>
Setting is removed
The following code is to emit an E_DEPRECATED error as of PHP 5.3.0, and the function removed (fatal error) as of PHP 6.0.0:
<?php set_magic_quotes_runtime(); // bad ?>
Also, as currently done, setting magic quotes via the directive (like in php.ini) to on should produce a fatal error in PHP 6, but continue to do nothing if set to off. In PHP 5.3 this is to produce an E_DEPRECATED when set to on, but do nothing when setting to off.
Required changes from today
- Remove E_DEPRECATED warnings from the 5.3 branch for get_*
- Restore get_* functions to PHP 6, and return false
Why do this?
Because programmers enjoy writing portable version friendly code, and have done so for many years both past, present, and future. The idea presented in this RFC is the original decision, and as such is still mentioned in NEWS today.
The main concern with this RFC is how we default magic_quotes_gpc to On in PHP 5.2 but suddenly set it to off with an E_DEPRECATED error in PHP 5.3. If this remains then an extremely strong education effort must be executed.