rfc:magicquotes

Request for Comments: Magical Quotes in PHP

Introduction

This has been discussed a few times, with mixed results, so here is a proposal that deals with Magical Quotes starting with PHP 5.3.0. The purpose of this RFC is to safely deprecate the use of magical quotes as of PHP 5.3.0, and remove as of PHP 6.0.0.

Common Misconceptions

All here agree that magic quotes is not the best solution to any problem, and that people should stop using them. However, people use them. And other people simply leave them on. And even others check for them.

Getting versus Setting

A key distinction exists between getting and setting magic quotes. The getting should remain as okay, whereas the setting should be deprecated, yelled at, and removed. This is an important distinction to realize when evaluating this topic.

Getting remains

So when speaking of E_DEPRECATED and the removal of magic quotes, we speak of the setting and not the getting of said setting. So to be clear, the following code should work in PHP 6 by emitting zero errors:

<?php 
    get_magic_quotes_gpc();     // returns false
    get_magic_quotes_runtime(); // returns false
?>

Setting is removed

The following code is to emit an E_DEPRECATED error as of PHP 5.3.0, and the function removed (fatal error) as of PHP 6.0.0:

<?php 
    set_magic_quotes_runtime(); // bad
?>

Also, as currently done, setting magic quotes via the directive (like in php.ini) to on should produce a fatal error in PHP 6, but continue to do nothing if set to off. In PHP 5.3 this is to produce an E_DEPRECATED when set to on, but do nothing when setting to off.

Required changes from today

  • Remove E_DEPRECATED warnings from the 5.3 branch for get_*
  • Restore get_* functions to PHP 6, and return false

Why do this?

Because programmers enjoy writing portable version friendly code, and have done so for many years both past, present, and future. The idea presented in this RFC is the original decision[1], and as such is still mentioned in NEWS[2] today.

Questions

The main concern with this RFC is how we default magic_quotes_gpc to On in PHP 5.2 but suddenly set it to off with an E_DEPRECATED error in PHP 5.3. If this remains then an extremely strong education effort must be executed.

References

rfc/magicquotes.txt · Last modified: 2011/07/18 18:39 by philip